bundle-audit-results/bundle-audit.json

{"version":"0.9.1","created_at":"2024-08-26 09:35:24 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-43398.yml","id":"CVE-2024-43398","url":"https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3","title":"REXML denial of service vulnerability","date":"2024-08-22","description":"### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an\nXML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like\n`REXML::Document.new`, you may be impacted to this vulnerability.\nIf you use other parser APIs such as stream parser API and SAX2\nparser API, this vulnerability is not affected.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-43398.\nWe strongly recommend upgrading the REXML gem.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the\nvulnerability.\n\n### Workarounds\n\nDon't parse untrusted XMLs with tree parser API.\n\n## Affected versions\n\nREXML gem 3.3.5 or prior\n\n## Credits\n\nThanks to l33thaxor for discovering this issue.\n\n## History\n\nOriginally published at 2024-08-22 03:00:00 (UTC)\n","cvss_v2":null,"cvss_v3":5.9,"cve":"2024-43398","osvdb":null,"ghsa":"vmwr-mc7x-5vc3","unaffected_versions":[],"patched_versions":[">= 3.3.6"],"criticality":"medium"}}]}