CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
23.8%
REXML is vulnerable to Denial Of Service (DoS). The vulnerability is due to a lack of proper entity expansion limits in its XML parsing with SAX2 or pull parser API. The vulnerability allows for excessive resource consumption when handling XML documents with numerous nested or repeated entities.
github.com/advisories/GHSA-5866-49gr-22v4
github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/