From 213fda7fa7d78333d68987c2be341af279cab0c8 Mon Sep 17 00:00:00 2001 From: cicd Date: Mon, 26 Aug 2024 09:35:24 +0200 Subject: [PATCH] commit by to_remotes 2024-08-26 09:35:24 +0200 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 ++++++++++- update-info.txt | 14 ++++++++++---- 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index aef75f2..16e61c7 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2024-08-23T10:21:53+02:00 +2024-08-26T09:35:24+02:00 diff --git a/bundle-audit.json b/bundle-audit.json index db8cd77..3f55c96 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.1","created_at":"2024-08-23 10:21:53 +0200","results":[]} \ No newline at end of file +{"version":"0.9.1","created_at":"2024-08-26 09:35:24 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-43398.yml","id":"CVE-2024-43398","url":"https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3","title":"REXML denial of service vulnerability","date":"2024-08-22","description":"### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an\nXML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like\n`REXML::Document.new`, you may be impacted to this vulnerability.\nIf you use other parser APIs such as stream parser API and SAX2\nparser API, this vulnerability is not affected.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-43398.\nWe strongly recommend upgrading the REXML gem.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n## Affected versions\n\nREXML gem 3.3.5 or prior\n\n## Credits\n\nThanks to l33thaxor for discovering this issue.\n\n## History\n\nOriginally published at 2024-08-22 03:00:00 (UTC)\n","cvss_v2":null,"cvss_v3":5.9,"cve":"2024-43398","osvdb":null,"ghsa":"vmwr-mc7x-5vc3","unaffected_versions":[],"patched_versions":[">= 3.3.6"],"criticality":"medium"}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..b87bc11 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,10 @@ -No vulnerabilities found +Name: rexml +Version: 3.3.5 +CVE: CVE-2024-43398 +GHSA: GHSA-vmwr-mc7x-5vc3 +Criticality: Medium +URL: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 +Title: REXML denial of service vulnerability +Solution: upgrade to '>= 3.3.6' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index 75a1ba7..5a6414f 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,13 @@ Updating ruby-advisory-db ... -Already up to date. +Updating 3a4007e..33907c1 +Fast-forward + gems/request_store/CVE-2024-43791.yml | 39 ++++++++++++++++++++++++++ + gems/rexml/CVE-2024-43398.yml | 52 +++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+) + create mode 100644 gems/request_store/CVE-2024-43791.yml + create mode 100644 gems/rexml/CVE-2024-43398.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 916 advisories - last updated: 2024-08-21 05:00:56 -0700 - commit: 3a4007eb274e3489c0c553a6da69e1590a65ef2e + advisories: 918 advisories + last updated: 2024-08-24 11:36:02 -0700 + commit: 33907c16654555cb6089d8a41c6bd20ce8da2698