Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2021-28965

Published: 21/04/2021 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Ruby

Vulnerability Summary

The REXML gem prior to 3.2.5 in Ruby prior to 2.6.7, 2.7.x prior to 2.7.3, and 3.x prior to 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

ruby-lang ruby

ruby-lang rexml

fedoraproject fedora 34

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2021-28965
Debian Bug report logs - #986806 CVE-2021-28965 Package: ruby-rexml; Maintainer for ruby-rexml is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-rexml is src:ruby-rexml (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 12 Apr 2021 ...
Red Hat: Important: ruby:2.6 security update
Synopsis Important: ruby:26 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:26 module is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Secu ...
Red Hat: Important: ruby:2.6 security update
Synopsis Important: ruby:26 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:26 module is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Pr ...
Debian Security Advisories: DSA-5066-1 ruby2.5 -- security update
Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service For the oldstable distribution (buster), these problems have been fixed in version 255 ...
Amazon Linux AMI: ALAS-2021-1501
The REXML gem before 325 in Ruby before 267, 27x before 273, and 3x before 301 does not properly address XML round-trip issues An incorrect document can be produced after parsing and serializing (CVE-2021-28965) ...
Amazon Linux 2: ALASRUBY3.0-2023-007
A flaw was found in the way the Ruby REXML library parsed XML documents Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure This issue could affect the integrity of processed data in applications using REXML that parse XML documents, writ ...
Amazon Linux 2: ALASRUBY2.6-2023-006
An issue was discovered in Ruby through 258, 26x through 266, and 27x through 271 WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request ...
Arch Linux Issues:
When parsing and serializing a crafted XML document, the REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML The issue is fixed in version 325 ...

Github Repositories

https://github.com/sonatype-nexus-community/chelsea

Dependency vulnerability auditor for Ruby

Chelsea Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem powered projects and report on any vulnerabilities in your third party dependencies It is powered by Sonatype's OSS Index Usage Chelsea can be installed with the gem command: $ gem install chelsea $ chelsea --help usage: /usr/local/bin/

https://github.com/Tabll/gemnasium-db

GitLab 依赖项扫描的咨询数据库,每天17:00自动更新

GitLab Advisory Database This repository contains the security advisories used by the GitLab dependency scanners It can be used for both searching advisories and submitting new ones The GitLab team constantly improves this vulnerability database by checking external sources on a regular basis, and contributing their findings to this repo Learn more on the external sources an

References

NVD-CWE-Otherhttps://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/https://security.netapp.com/advisory/ntap-20210528-0003/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986806https://nvd.nist.govhttps://github.com/sonatype-nexus-community/chelseahttps://www.debian.org/security/2022/dsa-5066
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322administrator privilegesCVE-2024-1579hardcodedCVE-2023-20198CVE-2024-33587CVE-2024-33449CVE-2024-4308HTML injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook