CVEFinder.io

CVE-2024-43398

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

CVSS Score
5.9
Medium
EPSS Score
1.2
Exploit Probability
Published Date
2024-08-22
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 33.3% of all 329,456 vulnerabilities in our database.

#219,613
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Aug 22, 2024
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-11-03
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-776

πŸ“¦ Affected Products 2

Vendor Product Status Affected Versions
ruby-lang rexml Affected
< 3.3.6
netapp bootstrap_os Affected
v-

πŸ”— References 4

https://github.com/ruby/rexml/releases/tag/v3.3.6
Release Notes
https://github.com/ruby/rexml/security/advisories/GH...
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/01...
https://security.netapp.com/advisory/ntap-20250103-0...
Third Party Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-58767 πŸ”Ά medium 5.3 0.0 REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing... 2025-09-17
CVE-2025-30691 πŸ”Ά medium 4.8 0.1 Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6,... 2025-04-15
CVE-2025-29768 πŸ”Ά medium 4.4 0.2 Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to... 2025-03-13
CVE-2025-24813 β›” critical 9.8 94.2 Path Equivalence: 'file.Name' (Internal Dot) leading toΒ Remote Code Execution and/or Information disclosureΒ and/or mal... 2025-03-10
CVE-2025-1215 ℹ️ low 2.8 0.4 A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of th... 2025-02-12
CVE-2025-0167 ℹ️ low 3.4 0.2 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used fo... 2025-02-05
These CVEs affect the same products