CVE-2024-49761
Published: 28 October 2024
Summary
CVE-2024-49761 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ruby-Lang Rexml. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2910
Vulnerability details
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen…
more
with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS vulnerability in REXML enables resource exhaustion (CPU) via crafted XML hex numeric character references during parsing, facilitating endpoint denial of service through application exploitation.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.