CVEFinder.io

CVE-2024-39908

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.

CVSS Score
4.3
Medium
EPSS Score
5.6
Exploit Probability
Published Date
2024-07-16
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 329,456 vulnerabilities in our database.

#311,645
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jul 16, 2024
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-11-03
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE IDs (Weakness Types)
CWE-400

πŸ“¦ Affected Products 2

Vendor Product Status Affected Versions
ruby-lang rexml Affected
< 3.3.2
netapp bootstrap_os Affected
v-

πŸ”— References 4

https://github.com/ruby/rexml/security/advisories/GH...
Vendor Advisory
https://www.ruby-lang.org/en/news/2024/07/16/dos-rex...
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/01...
https://security.netapp.com/advisory/ntap-20250117-0...
Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-58767 πŸ”Ά medium 5.3 0.0 REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing... 2025-09-17
CVE-2025-30691 πŸ”Ά medium 4.8 0.1 Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6,... 2025-04-15
CVE-2025-29768 πŸ”Ά medium 4.4 0.2 Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to... 2025-03-13
CVE-2025-24813 β›” critical 9.8 94.2 Path Equivalence: 'file.Name' (Internal Dot) leading toΒ Remote Code Execution and/or Information disclosureΒ and/or mal... 2025-03-10
CVE-2025-1215 ℹ️ low 2.8 0.4 A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of th... 2025-02-12
CVE-2025-0167 ℹ️ low 3.4 0.2 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used fo... 2025-02-05
These CVEs affect the same products