bundle-audit-results/bundle-audit.json

{"version":"0.9.2","created_at":"2024-10-29 08:02:56 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rexml","version":"3.3.7"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rexml/CVE-2024-49761.yml","id":"CVE-2024-49761","url":"https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m","title":"REXML ReDoS vulnerability","date":"2024-10-28","description":"## Impact\n\nThe REXML gem before 3.3.9 has a ReDoS vulnerability when it\nparses an XML that has many digits between `&#` and `x...;`\nin a hex numeric character reference (`&#x...;`).\n\nThis does not happen with Ruby 3.2 or later. Ruby 3.1 is the only\naffected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.\n\n## Patches\n\nThe REXML gem 3.3.9 or later include the patch to fix the vulnerability.\n\n## Workarounds\n\nUse Ruby 3.2 or later instead of Ruby 3.1.\n\n## References\n\n* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761\n  * Announced on www.ruby-lang.org.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-49761","osvdb":null,"ghsa":"2rxp-v6pw-ch6m","unaffected_versions":[],"patched_versions":[">= 3.3.9"],"criticality":null}}]}