Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions zh_tw/news/_posts/2024-10-28-redos-rexml-cve-2024-49761.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
layout: news_post
title: "CVE-2024-49761: ReDoS vulnerability in REXML"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I just notice this title is not translated, but we can do this in a follow-up PRs on the previous ReDoS posts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, I will open PRs to translate these news titles.

author: "kou"
translator: "Bear Su"
date: 2024-10-28 03:00:00 +0000
tags: security
lang: zh_tw
---

在 REXML gem 發現了一個 DoS 漏洞。
該漏洞的 CVE 編號為 [CVE-2024-43398](https://www.cve.org/CVERecord?id=CVE-2024-43398)。
我們強烈建議您升級 REXML gem。

該漏洞不會在 Ruby 3.2 或之後發生。Ruby 3.1 是唯一受到影響的版本。
注意 Ruby 3.1 將會在 2025-03 結束生命週期。

## 風險細節

當解析的 XML 裡十六進位數字字元參考 (`&#x...;`) 中的 `&#` 和 `x...;` 之間有許多數字。

請更新 REXML gem 至 3.3.9 或更新的版本。

## 受影響版本

* REXML gem 3.3.8 或 Ruby 3.1 較早的版本或更早的版本。

## 致謝

感謝 [manun](https://hackerone.com/manun) 發現此問題。

## 歷史

* 最初發布於 2024-10-28 03:00:00 (UTC)