Home > Vulnerability Database > CVE-2024-49761

Mend.io Vulnerability Database

CVE-2024-49761

Good to know:

Date: October 28, 2024

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Language: Ruby

Severity Score

7.5

Related Resources (7)

Url: https://github.com/ruby/rexml

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml

Url: https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-49761

Url: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Url: https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f

Url: https://www.mend.io/vulnerability-database/CVE-2024-49761

Severity Score

7.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version rexml - 3.3.9

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-49761

Good to know:

Date: October 28, 2024

Language: Ruby

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?