CVE-2021-28965 — XML External Entity (XXE) Injection in Rexml

CWE-611 — XML External Entity (XXE) Injection CWE-115 — Misinterpretation of Input11 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Rexml Ruby-lang Ruby Fedoraproject Fedora

Timeline

PublishedApr 21

Latest updateApr 30

Description

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDruby-lang/rexml< 3.2.5

▶NVDruby-lang/ruby2.7.0 — 2.7.3+2

Also affects: Fedora 34

🔴Vulnerability Details

OSV

REXML round-trip instability↗2021-04-30

▶

GHSA

REXML round-trip instability↗2021-04-30

▶

CVEList

CVE-2021-28965: The REXML gem before 3↗2021-04-21

▶

OSV

CVE-2021-28965: The REXML gem before 3↗2021-04-21

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerability↗2021-04-26

▶

Ubuntu

Ruby vulnerability↗2021-04-20

▶

Microsoft

The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and seriali↗2021-04-13

▶

Red Hat

ruby: XML round-trip vulnerability in REXML↗2021-04-05

▶

Debian

CVE-2021-28965: ruby2.7 - The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x bef...↗2021

▶

💬Community

Bugzilla

CVE-2021-28965 ruby: XML round-trip vulnerability in REXML↗2021-04-08

▶