CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49761.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1333"
    ]
}

References

Affected packages

Git / github.com/ruby/rexml

Affected ranges

Type: GIT
Repo: https://github.com/ruby/rexml
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ce59f2eb1aeb371fe1643414f06618dbe031979f

Affected versions

v3.*

v3.1.8

v3.1.9

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

Git / github.com/ruby/ruby

Affected ranges

Type: GIT
Repo: https://github.com/ruby/ruby
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f5c772fc7cbe9f5b58d962939fcb1c7e3fb1cfa6

Affected versions

Other

v1_0_r2

v2_7_0_preview1

v2_7_0_preview2

v2_7_0_preview3

v2_7_0_rc1

v2_7_0_rc2

v3_0_0_preview1

v3_0_0_preview2

v3_0_0_rc1

v3_0_0_rc2

v3_1_0_preview1

v3_2_0_preview1

v3_2_0_preview2

v3_2_0_preview3

v3_2_0_rc1

v3_3_0

v3_3_0_preview1

v3_3_0_preview2

v3_3_0_preview3

v3_3_1

v3_3_2

v3_3_3

v3_3_4

v3_3_5

v3_3_6

v3_3_7

v3_3_8