GSHA SYNC: 1 brand new advisory

Author: jasnow

gems/rexml/CVE-2024-43398.yml

@@ -0,0 +1,52 @@
+---
+gem: rexml
+cve: 2024-43398
+ghsa: vmwr-mc7x-5vc3
+url: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
+title: REXML denial of service vulnerability
+date: 2024-08-22
+description: |
+  ### Impact
+
+  The REXML gem before 3.3.6 has a DoS vulnerability when it parses an
+  XML that has many deep elements that have same local name attributes.
+
+  If you need to parse untrusted XMLs with tree parser API like
+  `REXML::Document.new`, you may be impacted to this vulnerability.
+  If you use other parser APIs such as stream parser API and SAX2
+  parser API, this vulnerability is not affected.
+
+  This vulnerability has been assigned the CVE identifier CVE-2024-43398.
+  We strongly recommend upgrading the REXML gem.
+
+  ### Patches
+
+  The REXML gem 3.3.6 or later include the patch to fix the
+  vulnerability.
+
+  ### Workarounds
+
+  Don't parse untrusted XMLs with tree parser API.
+
+  ## Affected versions
+
+  REXML gem 3.3.5 or prior
+
+  ## Credits
+
+  Thanks to l33thaxor for discovering this issue.
+
+  ## History
+
+  Originally published at 2024-08-22 03:00:00 (UTC)
+cvss_v3: 5.9
+patched_versions:
+  - ">= 3.3.6"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43398
+    - https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
+    - https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
+    - https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
+    - https://github.com/ruby/rexml/releases/tag/v3.3.6
+    - https://github.com/advisories/GHSA-vmwr-mc7x-5vc3