Snyk High Vulnerability: rexml - Improper Restriction of XML External Entity Reference ('XXE') Vulnerability #402
Assignees
Labels
I & A
Used for ESDIS I&A Sprint Review
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Introduced through
[email protected] and [email protected]
Fixed in
[email protected]
Exploit maturity
No known exploit
Show less detail
Detailed paths
Introduced through: project@* › [email protected] › [email protected]
Fix: No remediation path available.
Introduced through: project@* › [email protected] › [email protected] › [email protected]
Fix: No remediation path available.
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 8.2 - High Severity | CVSS v3.1 5.9 - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
rexml is an An XML toolkit for Ruby.
Affected versions of this package are vulnerable to Improper Restriction of XML External Entity Reference ('XXE') via tree parser APIs like REXML::Document.new function. An attacker can cause the application to consume excessive resources by submitting specially crafted XML documents with many deep elements that have the same local name attributes.
Note:
This is only exploitable if a tree parser API is used to parse untrusted XMLs.
The text was updated successfully, but these errors were encountered: