REXML < 3.2.6 DoS via many '<' in attribute value
CVE-2024-35176 Published on May 16, 2024

REXML contains a denial of service vulnerability
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.

Github Repository NVD

Vulnerability Analysis

CVE-2024-35176 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Types

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2024-35176 has been classified to as a Resource Exhaustion vulnerability or weakness.

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.


Products Associated with CVE-2024-35176

stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Ruby Programming Language Rexml. Just hit a watch button to start following.

Canonical Ubuntu Linux
 
Ruby Programming Language Rexml
 

Affected Versions

ruby rexml: ruby-lang rexml:

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-35176

Package Manager Vulnerable Package Versions Fixed In
rubygems rexml < 3.2.7 3.2.7

Exploit Probability

EPSS
6.90%
Percentile
91.23%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.