Home > Vulnerability Database > CVE-2024-41946

Mend.io Vulnerability Database

CVE-2024-41946

Good to know:

Date: August 1, 2024

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Language: Ruby

Severity Score

5.3

Related Resources (8)

Url: https://github.com/ruby/rexml

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-41946

Url: https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4

Url: https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

Url: https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml

Url: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946

Url: https://www.mend.io/vulnerability-database/CVE-2024-41946

Severity Score

5.3

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version rexml - 3.3.3

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-41946

Good to know:

Date: August 1, 2024

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?