CVE-2021-28965
published 2021-04-21CVE-2021-28965: The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
5.06%
91.2th percentile
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.3-1 (bullseye) | ruby2.7 2.7.3-1 (bullseye) |
| fedoraproject | fedora | — | — |
| msrc | cbl2_ruby_2.7.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| ruby-lang | rexml | < 3.2.5 | 3.2.5 |
| ruby-lang | rexml | >= 0 < 3.2.5 | 3.2.5 |
| ruby-lang | ruby | < 2.6.7 | 2.6.7 |
| ruby-lang | ruby | >= 2.7.0 < 2.7.3 | 2.7.3 |
| ruby-lang | ruby | >= 3.0.0 < 3.0.1 | 3.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2021-04-26
CVE-2021-28965 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby incorrectly handled XML documents.
USN-4922-1 fixed a vulnerability in Ruby. This update provides the
corresponding update for Ubuntu 21.04.
Original advisory details:
Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly
parsed and serialized XML documents. A remote attacker could possibly use
this issue to perform an XML round-trip attack.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Ruby vulnerability
vendor_ubuntu·2021-04-20
CVE-2021-28965 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby incorrectly handled XML documents.
Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly
parsed and serialized XML documents. A remote attacker could possibly use
this issue to perform an XML round-trip attack.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and seriali
vendor_msrc·2021-04-13·CVSS 7.5
CVE-2021-28965 [HIGH] The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and seriali
The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will updat
Red Hat
ruby: XML round-trip vulnerability in REXML
vendor_redhat·2021-04-05·CVSS 7.5
CVE-2021-28965 [HIGH] CWE-611 ruby: XML round-trip vulnerability in REXML
ruby: XML round-trip vulnerability in REXML
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of processed data in applications using REXML that parse XML documents, write data back to XML, and re-parse them again.
Package: ruby (CloudForms Management Engine 5) - Not affected
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red H
Debian
CVE-2021-28965: ruby2.7 - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x bef...
vendor_debian·2021·CVSS 7.5
CVE-2021-28965 [HIGH] CVE-2021-28965: ruby2.7 - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x bef...
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Scope: local
bullseye: resolved (fixed in 2.7.3-1)
OSV
REXML round-trip instability
osv·2021-04-30
CVE-2021-28965 [HIGH] REXML round-trip instability
REXML round-trip instability
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
GHSA
REXML round-trip instability
ghsa·2021-04-30
CVE-2021-28965 [HIGH] CWE-115 REXML round-trip instability
REXML round-trip instability
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
OSV
CVE-2021-28965: The REXML gem before 3
osv·2021-04-21·CVSS 7.5
CVE-2021-28965 [HIGH] CVE-2021-28965: The REXML gem before 3
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
No detection rules found.
No public exploits indexed.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/https://security.netapp.com/advisory/ntap-20210528-0003/https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/https://security.netapp.com/advisory/ntap-20210528-0003/https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
2021-04-21
Published