Updated advisory posts against rubysec/ruby-advisory-db@343e45a

jasnow · RubySec CI · commit 1517707775c2 · 2024-05-16T23:29:07.000Z
diff --git a/advisories/_posts/2024-05-16-CVE-2024-35176.md b/advisories/_posts/2024-05-16-CVE-2024-35176.md
@@ -0,0 +1,45 @@
+---
+layout: advisory
+title: 'CVE-2024-35176 (rexml): REXML contains a denial of service vulnerability'
+comments: false
+categories:
+- rexml
+advisory:
+  gem: rexml
+  cve: 2024-35176
+  ghsa: vg3r-rm7w-2xgh
+  url: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
+  title: REXML contains a denial of service vulnerability
+  date: 2024-05-16
+  description: |
+    ### Impact
+
+    The REXML gem before 3.2.6 has a DoS vulnerability when it
+    parses an XML that has many `<`s in an attribute value.
+
+    If you need to parse untrusted XMLs, you many be impacted
+    to this vulnerability.
+
+    ### Patches
+
+    The REXML gem 3.2.7 or later include the patch to fix this
+    vulnerability.
+
+    ### Workarounds
+
+    Don't parse untrusted XMLs.
+
+    ### References
+
+    * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
+  cvss_v3: 5.3
+  patched_versions:
+  - ">= 3.2.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-35176
+    - https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
+    - https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
+    - https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
+    - https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
+---
