XML round-trip vulnerability in REXML
Published: April 05, 2021
SECURITY IDENTIFIERS
- CVE: CVE-2021-28965 (NVD)
- GHSA: GHSA-8cr8-4vfw-mr7h
- Vendor Advisory: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
~> 3.1.9.1
~> 3.2.3.1
>= 3.2.5
DESCRIPTION
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one.