CVE-2024-35176 (Medium) detected in rexml-3.2.4.gem

[mend-for-github-com]

CVE-2024-35176 - Medium Severity Vulnerability

Vulnerable Library - rexml-3.2.4.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.2.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy:

• kramdown-2.3.0.gem (Root Library)
  • ❌ rexml-3.2.4.gem (Vulnerable Library)

Found in HEAD commit: e18fd672daa5561842258223a173ced78ea399b2

Found in base branch: master

Vulnerability Details

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many <s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

Publish Date: 2024-05-16

URL: CVE-2024-35176

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vg3r-rm7w-2xgh

Release Date: 2024-05-16

Fix Resolution: rexml - 3.2.7