ShreyNiraula
commented
2 days ago rexml is a part of Ruby library which, as Chuck mentioned in the second half this comment here: csdap-cumulus/issues/396
Gemfile.lock (Ruby) library are only used locally for the development Docker image. This code never gets deployed so we can dismiss this alert.
This can be confirmed by looking at the files: Gemfile and Gemfile.lock.
Introduced through terraspace@2.2.16 and terraspace_plugin_aws@0.6.1 Fixed in rexml@3.3.3 Exploit maturity Proof of Concept Show less detail Detailed paths Introduced through: project@ › terraspace@2.2.16 › rexml@3.2.6 Fix: No remediation path available. Introduced through: project@ › terraspace_plugin_aws@0.6.1 › s3-secure@0.7.0 › rexml@3.2.6 Fix: No remediation path available. Security information Factors contributing to the scoring: Snyk: CVSS v4.0 6.9 - Medium Severity | CVSS v3.1 5.3 - Medium Severity NVD: CVSS v3.1 7.5 - High Severity Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview rexml is an An XML toolkit for Ruby.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the SAX2 or pull parser API. An attacker can cause the application to consume excessive resources leading to a denial of service by submitting specially crafted XML documents that exploit entity expansions.