The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
ruby/rexml (rexml)
### [`v3.3.6`](https://togithub.com/ruby/rexml/releases/tag/v3.3.6): REXML 3.3.6 - 2024-08-22
[Compare Source](https://togithub.com/ruby/rexml/compare/v3.3.5...v3.3.6)
##### Improvements
- Removed duplicated entity expansions for performance.
- [GH-194](https://togithub.com/ruby/rexml/issues/194)
- Patch by Viktor Ivarsson.
- Improved namespace conflicted attribute check performance. It was
too slow for deep elements.
- Reported by l33thaxor.
##### Fixes
- Fixed a bug that default entity expansions are counted for
security check. Default entity expansions should not be counted
because they don't have a security risk.
- [GH-198](https://togithub.com/ruby/rexml/issues/198)
- [GH-199](https://togithub.com/ruby/rexml/issues/199)
- Patch Viktor Ivarsson
- Fixed a parser bug that parameter entity references in internal
subsets are expanded. It's not allowed in the XML specification.
- [GH-191](https://togithub.com/ruby/rexml/issues/191)
- Patch by NAITOH Jun.
- Fixed a stream parser bug that user-defined entity references in
text aren't expanded.
- [GH-200](https://togithub.com/ruby/rexml/issues/200)
- Patch by NAITOH Jun.
##### Thanks
- Viktor Ivarsson
- NAITOH Jun
- l33thaxor
### [`v3.3.5`](https://togithub.com/ruby/rexml/releases/tag/v3.3.5): REXML 3.3.5 - 2024-08-12
[Compare Source](https://togithub.com/ruby/rexml/compare/v3.3.4...v3.3.5)
##### Fixes
- Fixed a bug that `REXML::Security.entity_expansion_text_limit`
check has wrong text size calculation in SAX and pull parsers.
- [GH-193](https://togithub.com/ruby/rexml/issues/193)
- [GH-195](https://togithub.com/ruby/rexml/issues/195)
- Reported by Viktor Ivarsson.
- Patch by NAITOH Jun.
##### Thanks
- Viktor Ivarsson
- NAITOH Jun
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.3.4
->3.3.6
GitHub Vulnerability Alerts
CVE-2024-43398
Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like
REXML::Document.new
, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Workarounds
Don't parse untrusted XMLs with tree parser API.
References
Release Notes
ruby/rexml (rexml)
### [`v3.3.6`](https://togithub.com/ruby/rexml/releases/tag/v3.3.6): REXML 3.3.6 - 2024-08-22 [Compare Source](https://togithub.com/ruby/rexml/compare/v3.3.5...v3.3.6) ##### Improvements - Removed duplicated entity expansions for performance. - [GH-194](https://togithub.com/ruby/rexml/issues/194) - Patch by Viktor Ivarsson. - Improved namespace conflicted attribute check performance. It was too slow for deep elements. - Reported by l33thaxor. ##### Fixes - Fixed a bug that default entity expansions are counted for security check. Default entity expansions should not be counted because they don't have a security risk. - [GH-198](https://togithub.com/ruby/rexml/issues/198) - [GH-199](https://togithub.com/ruby/rexml/issues/199) - Patch Viktor Ivarsson - Fixed a parser bug that parameter entity references in internal subsets are expanded. It's not allowed in the XML specification. - [GH-191](https://togithub.com/ruby/rexml/issues/191) - Patch by NAITOH Jun. - Fixed a stream parser bug that user-defined entity references in text aren't expanded. - [GH-200](https://togithub.com/ruby/rexml/issues/200) - Patch by NAITOH Jun. ##### Thanks - Viktor Ivarsson - NAITOH Jun - l33thaxor ### [`v3.3.5`](https://togithub.com/ruby/rexml/releases/tag/v3.3.5): REXML 3.3.5 - 2024-08-12 [Compare Source](https://togithub.com/ruby/rexml/compare/v3.3.4...v3.3.5) ##### Fixes - Fixed a bug that `REXML::Security.entity_expansion_text_limit` check has wrong text size calculation in SAX and pull parsers. - [GH-193](https://togithub.com/ruby/rexml/issues/193) - [GH-195](https://togithub.com/ruby/rexml/issues/195) - Reported by Viktor Ivarsson. - Patch by NAITOH Jun. ##### Thanks - Viktor Ivarsson - NAITOH JunConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.