wiseadvice_public_repos
/
bundle-audit-results
3
0
Fork 0
Code Wiki

commit by to_remotes 2024-08-26 09:35:54 +0200 from cicd

main
cicd 2024-08-26 09:35:54 +02:00
parent 213fda7fa7
commit 7b421a7e8e
4 changed files with 4 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bundle-audit-time.txt
View File

@ -1 +1 @@
2024-08-26T09:35:24+02:00
2024-08-26T09:35:54+02:00

2
bundle-audit.json
View File

@ -1 +1 @@
{"version":"0.9.1","created_at":"2024-08-26 09:35:24 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-43398.yml","id":"CVE-2024-43398","url":"https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3","title":"REXML denial of service vulnerability","date":"2024-08-22","description":"### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an\nXML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like\n`REXML::Document.new`, you may be impacted to this vulnerability.\nIf you use other parser APIs such as stream parser API and SAX2\nparser API, this vulnerability is not affected.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-43398.\nWe strongly recommend upgrading the REXML gem.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n## Affected versions\n\nREXML gem 3.3.5 or prior\n\n## Credits\n\nThanks to l33thaxor for discovering this issue.\n\n## History\n\nOriginally published at 2024-08-22 03:00:00 (UTC)\n","cvss_v2":null,"cvss_v3":5.9,"cve":"2024-43398","osvdb":null,"ghsa":"vmwr-mc7x-5vc3","unaffected_versions":[],"patched_versions":[">= 3.3.6"],"criticality":"medium"}}]}
{"version":"0.9.1","created_at":"2024-08-26 09:35:53 +0200","results":[]}

11
report.txt
View File

@ -1,10 +1 @@
Name: rexml
Version: 3.3.5
CVE: CVE-2024-43398
GHSA: GHSA-vmwr-mc7x-5vc3
Criticality: Medium
URL: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
Title: REXML denial of service vulnerability
Solution: upgrade to '>= 3.3.6'
Vulnerabilities found!
No vulnerabilities found

8
update-info.txt
View File

@ -1,11 +1,5 @@
Updating ruby-advisory-db ...
Updating 3a4007e..33907c1
Fast-forward
gems/request_store/CVE-2024-43791.yml | 39 ++++++++++++++++++++++++++
gems/rexml/CVE-2024-43398.yml | 52 +++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
create mode 100644 gems/request_store/CVE-2024-43791.yml
create mode 100644 gems/rexml/CVE-2024-43398.yml
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
advisories: 918 advisories