Skip to content

Commit 8c2227f

Browse files
jasnowpostmodern
jasnow
authored and
postmodern
committed
GHSA SYNC: 2 brand new advisories
1 parent c105c3f commit 8c2227f

File tree

2 files changed

+75
-0
lines changed

2 files changed

+75
-0
lines changed

gems/mpxj/CVE-2024-49771.yml

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
---
2+
gem: mpxj
3+
cve: 2024-49771
4+
ghsa: j945-c44v-97g6
5+
url: https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
6+
title: MPXJ has a Potential Path Traversal Vulnerability
7+
date: 2024-10-28
8+
description: |
9+
### Impact
10+
11+
The patch for the historical vulnerability CVE-2020-35460 in MPXJ
12+
is incomplete as there is still a possibility that a malicious path
13+
could be constructed which would not be picked up by the original
14+
fix and allow files to be written to arbitrary locations.
15+
16+
### Patches
17+
18+
The issue is addressed in MPXJ version 13.5.1
19+
20+
### Workarounds
21+
22+
Do not pass zip files to MPXJ.
23+
24+
### References
25+
N/A
26+
cvss_v3: 5.3
27+
unaffected_versions:
28+
- "< 8.3.5"
29+
patched_versions:
30+
- ">= 13.5.1"
31+
related:
32+
url:
33+
- https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
34+
- https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
35+
- https://github.com/advisories/GHSA-j945-c44v-97g6

gems/rexml/CVE-2024-49761.yml

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
gem: rexml
3+
cve: 2024-49761
4+
ghsa: 2rxp-v6pw-ch6m
5+
url: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
6+
title: REXML ReDoS vulnerability
7+
date: 2024-10-28
8+
description: |
9+
## Impact
10+
11+
The REXML gem before 3.3.9 has a ReDoS vulnerability when it
12+
parses an XML that has many digits between `&#` and `x...;`
13+
in a hex numeric character reference (`&#x...;`).
14+
15+
This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only
16+
affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
17+
18+
## Patches
19+
20+
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
21+
22+
## Workarounds
23+
24+
Use Ruby 3.2 or later instead of Ruby 3.1.
25+
26+
## References
27+
28+
* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
29+
* Announced on www.ruby-lang.org.
30+
cvss_v4: 6.6
31+
patched_versions:
32+
- ">= 3.3.9"
33+
related:
34+
url:
35+
- https://nvd.nist.gov/vuln/detail/CVE-2024-49761
36+
- https://github.com/ruby/rexml/releases/tag/v3.3.9
37+
- https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
38+
- https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
39+
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
40+
- https://github.com/advisories/GHSA-2rxp-v6pw-ch6m

0 commit comments

Comments
 (0)