Open npetrackunit opened 2 months ago
npetrackunit
commented
1 month ago Hey this is affecting the project I am working on since Starscream is a dependency for another package we need. If someone could take a look at this, that would be great! Thanks :)
@acmacalister @daltoniam
andrii-bodnar
commented
1 month ago Hi @acmacalister @daltoniam!
I'm Andrii from @crowdin, maintainer of the Crowdin iOS SDK - https://github.com/crowdin/mobile-sdk-ios.
This SDK depends on Starscream and we received the report about this vulnerability.
I was just wondering if it would be possible to fix it soon? We look forward to hearing from you and thank you in advance!
andrii-bodnar
commented
1 month ago It looks like there is already a pull request to fix this - https://github.com/daltoniam/Starscream/pull/1026
UPD. It updates to the older version than we need.
npetrackunit
commented
4 weeks ago Hi @acmacalister @daltoniam.
It has been over a month. If someone has seen this thread could you comment so I know someone is looking into fixing this?
Thanks!
What do you want to happen?
There is a DoS vulnerability in REXML gem. This vulnerability has been assigned the CVE identifier CVE-2024-39908. We strongly recommend upgrading the REXML gem.
What happens now?
When it parses an XML that has many specific characters such as <, 0 and %>. REXML gem may take long time.
Please update REXML gem to version 3.3.2 or later.
Demo Code
_
Describe alternatives you've considered
None.
Additional context
Affected versions REXML gem 3.3.2 or prior