File tree Expand file tree Collapse file tree 2 files changed +75
-0
lines changed Expand file tree Collapse file tree 2 files changed +75
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ gem : mpxj
3+ cve : 2024-49771
4+ ghsa : j945-c44v-97g6
5+ url : https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
6+ title : MPXJ has a Potential Path Traversal Vulnerability
7+ date : 2024-10-28
8+ description : |
9+ ### Impact
10+
11+ The patch for the historical vulnerability CVE-2020-35460 in MPXJ
12+ is incomplete as there is still a possibility that a malicious path
13+ could be constructed which would not be picked up by the original
14+ fix and allow files to be written to arbitrary locations.
15+
16+ ### Patches
17+
18+ The issue is addressed in MPXJ version 13.5.1
19+
20+ ### Workarounds
21+
22+ Do not pass zip files to MPXJ.
23+
24+ ### References
25+ N/A
26+ cvss_v3 : 5.3
27+ unaffected_versions :
28+ - " < 8.3.5"
29+ patched_versions :
30+ - " >= 13.5.1"
31+ related :
32+ url :
33+ - https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
34+ - https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
35+ - https://github.com/advisories/GHSA-j945-c44v-97g6
Original file line number Diff line number Diff line change 1+ ---
2+ gem : rexml
3+ cve : 2024-49761
4+ ghsa : 2rxp-v6pw-ch6m
5+ url : https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
6+ title : REXML ReDoS vulnerability
7+ date : 2024-10-28
8+ description : |
9+ ## Impact
10+
11+ The REXML gem before 3.3.9 has a ReDoS vulnerability when it
12+ parses an XML that has many digits between `&#` and `x...;`
13+ in a hex numeric character reference (`&#x...;`).
14+
15+ This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only
16+ affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
17+
18+ ## Patches
19+
20+ The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
21+
22+ ## Workarounds
23+
24+ Use Ruby 3.2 or later instead of Ruby 3.1.
25+
26+ ## References
27+
28+ * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
29+ * Announced on www.ruby-lang.org.
30+ cvss_v4 : 6.6
31+ patched_versions :
32+ - " >= 3.3.9"
33+ related :
34+ url :
35+ - https://nvd.nist.gov/vuln/detail/CVE-2024-49761
36+ - https://github.com/ruby/rexml/releases/tag/v3.3.9
37+ - https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
38+ - https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
39+ - https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
40+ - https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
You can’t perform that action at this time.
0 commit comments