Vulnerability Description
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Rexml | < 3.3.2 |
| Netapp | Bootstrap Os | - |
| Netapp | Hci Compute Node | - |
Related Weaknesses (CWE)
References
- https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8Vendor Advisory
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908Vendor Advisory
- https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250117-0008/Third Party Advisory
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908Vendor Advisory
FAQ
What is CVE-2024-39908?
CVE-2024-39908 is a vulnerability with a CVSS score of 4.3 (MEDIUM). REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untru...
How severe is CVE-2024-39908?
CVE-2024-39908 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-39908?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Rexml, Netapp Bootstrap Os, Netapp Hci Compute Node.