Snyk High Vulnerability: rexml - Improper Restriction of XML External Entity Reference ('XXE') Vulnerability

[hbparache]

Introduced through terraspace@2.2.16 and terraspace_plugin_aws@0.6.1 Fixed in rexml@3.3.6 Exploit maturity No known exploit Show less detail Detailed paths Introduced through: project@ › terraspace@2.2.16 › rexml@3.2.6 Fix: No remediation path available. Introduced through: project@ › terraspace_plugin_aws@0.6.1 › s3-secure@0.7.0 › rexml@3.2.6 Fix: No remediation path available. Security information Factors contributing to the scoring: Snyk: CVSS v4.0 8.2 - High Severity | CVSS v3.1 5.9 - Medium Severity NVD: Not available. NVD has not yet published its analysis. Why are the scores different? Learn how Snyk evaluates vulnerability scores Overview rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Improper Restriction of XML External Entity Reference ('XXE') via tree parser APIs like REXML::Document.new function. An attacker can cause the application to consume excessive resources by submitting specially crafted XML documents with many deep elements that have the same local name attributes.

Note:

This is only exploitable if a tree parser API is used to parse untrusted XMLs.

[ShreyNiraula]

We can close this similar to https://github.com/NASA-IMPACT/csdap-cumulus/issues/398#issuecomment-2474003244 as Gemfile.lock (Ruby) used in only local Development.