Add CVE-2024-49761: ReDoS vulnerability in REXML

ruby · Oct 28, 2024 · 9862c90 · 9862c90
1 parent 8937e6e
commit 9862c90
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/en/news/_posts/2024-10-28-redos-rexml-cve-2024-49761.md b/en/news/_posts/2024-10-28-redos-rexml-cve-2024-49761.md
@@ -0,0 +1,31 @@
+---
+layout: news_post
+title: "CVE-2024-49761: ReDoS vulnerability in REXML"
+author: "kou"
+translator:
+date: 2024-10-28 03:00:00 +0000
+tags: security
+lang: en
+---
+
+There is a ReDoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier [CVE-2024-49761](https://www.cve.org/CVERecord?id=CVE-2024-49761). We strongly recommend upgrading the REXML gem.
+
+This is not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
+
+## Details
+
+When parsing an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).
+
+Please update REXML gem to version 3.3.9 or later.
+
+## Affected versions
+
+* REXML gem 3.3.8 or prior with Ruby 3.1 or prior
+
+## Credits
+
+Thanks to [manun](https://hackerone.com/manun) for discovering this issue.
+
+## History
+
+* Originally published at 2024-10-28 03:00:00 (UTC)