FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ruby -- XML round-trip vulnerability in REXML

Affected packages
2.5.0,1 <= ruby < 2.5.9,1
2.6.0,1 <= ruby < 2.6.7,1
2.7.0,1 <= ruby < 2.7.3,1
3.0.0.p1,1 <= ruby < 3.0.1,1
rubygem-rexml < 3.2.5

Details

VuXML ID dec7e4b6-961a-11eb-9c34-080027f515ea
Discovery 2021-04-05
Entry 2021-04-05

Juho Nurminen reports:

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

References

CVE Name CVE-2021-28965
URL https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/