Open jeremiahlukus opened 3 months ago
It looks like more vulnerabilities were found since May.
Consider bumping the version of rexml to '>= 3.3.6'
, because this CVE-2024-43398 reports the DoS vulnerability is there in prior versions.
I would if it would get merged since this didnt get merged its unlikely another version bump will.
REXML contains a denial of service vulnerability (CVE-2024-35176)
Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many
<
s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/^ pasted from NewRelic