Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

up rexml to a version that doesnt include the ddos vulnerability #806

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

up rexml to a version that doesnt include the ddos vulnerability #806

wants to merge 1 commit into from

Conversation

jeremiahlukus
Copy link

REXML contains a denial of service vulnerability (CVE-2024-35176)

Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

^ pasted from NewRelic

@monicao
Copy link

monicao commented Aug 26, 2024

It looks like more vulnerabilities were found since May.

Consider bumping the version of rexml to '>= 3.3.6', because this CVE-2024-43398 reports the DoS vulnerability is there in prior versions.

@jeremiahlukus
Copy link
Author

I would if it would get merged since this didnt get merged its unlikely another version bump will.

@etherz10
Copy link

@gettalong Any chance of bumping the minimum rexml version required to 3.3.6 and then merging this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeremiahlukus @monicao @etherz10