Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/ruby2.7@2.7.4-1%2Bdeb11u1
Typedeb
Namespacedebian
Nameruby2.7
Version2.7.4-1+deb11u1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-2sv2-6snv-2bd3
vulnerability_id VCID-2sv2-6snv-2bd3
summary Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28739.json
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28739.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-28739
reference_id
reference_type
scores
0
value 0.00306
scoring_system epss
scoring_elements 0.53796
published_at 2026-04-09T12:55:00Z
1
value 0.00306
scoring_system epss
scoring_elements 0.53798
published_at 2026-04-08T12:55:00Z
2
value 0.00306
scoring_system epss
scoring_elements 0.53845
published_at 2026-04-11T12:55:00Z
3
value 0.00306
scoring_system epss
scoring_elements 0.53828
published_at 2026-04-12T12:55:00Z
4
value 0.00306
scoring_system epss
scoring_elements 0.53812
published_at 2026-04-13T12:55:00Z
5
value 0.00306
scoring_system epss
scoring_elements 0.53849
published_at 2026-04-16T12:55:00Z
6
value 0.00306
scoring_system epss
scoring_elements 0.53746
published_at 2026-04-07T12:55:00Z
7
value 0.00306
scoring_system epss
scoring_elements 0.53773
published_at 2026-04-04T12:55:00Z
8
value 0.00346
scoring_system epss
scoring_elements 0.57161
published_at 2026-04-18T12:55:00Z
9
value 0.00346
scoring_system epss
scoring_elements 0.57139
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-28739
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28739
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28739
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
url https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009957
reference_id 1009957
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009957
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2075687
reference_id 2075687
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2075687
7
reference_url https://security.archlinux.org/AVG-2757
reference_id AVG-2757
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2757
8
reference_url https://access.redhat.com/errata/RHSA-2022:5338
reference_id RHSA-2022:5338
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5338
9
reference_url https://access.redhat.com/errata/RHSA-2022:6447
reference_id RHSA-2022:6447
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6447
10
reference_url https://access.redhat.com/errata/RHSA-2022:6450
reference_id RHSA-2022:6450
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6450
11
reference_url https://access.redhat.com/errata/RHSA-2022:6585
reference_id RHSA-2022:6585
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6585
12
reference_url https://access.redhat.com/errata/RHSA-2022:6855
reference_id RHSA-2022:6855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6855
13
reference_url https://access.redhat.com/errata/RHSA-2022:6856
reference_id RHSA-2022:6856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:6856
14
reference_url https://access.redhat.com/errata/RHSA-2023:7025
reference_id RHSA-2023:7025
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7025
15
reference_url https://access.redhat.com/errata/RHSA-2026:7305
reference_id RHSA-2026:7305
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7305
16
reference_url https://access.redhat.com/errata/RHSA-2026:7307
reference_id RHSA-2026:7307
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7307
17
reference_url https://access.redhat.com/errata/RHSA-2026:8838
reference_id RHSA-2026:8838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8838
18
reference_url https://usn.ubuntu.com/5462-1/
reference_id USN-5462-1
reference_type
scores
url https://usn.ubuntu.com/5462-1/
19
reference_url https://usn.ubuntu.com/5462-2/
reference_id USN-5462-2
reference_type
scores
url https://usn.ubuntu.com/5462-2/
fixed_packages
aliases CVE-2022-28739, GHSA-mvgc-rxvg-hqc6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2sv2-6snv-2bd3
1
url VCID-5mfh-yzfk-cqaa
vulnerability_id VCID-5mfh-yzfk-cqaa
summary 
StringIO buffer overread vulnerability
An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4.

The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value.

This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later.

We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

* For Ruby 3.0 users: Update to `stringio` 3.0.1.1
* For Ruby 3.1 users: Update to `stringio` 3.1.0.2

You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27280.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27280.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27280
reference_id
reference_type
scores
0
value 0.06546
scoring_system epss
scoring_elements 0.9116
published_at 2026-04-21T12:55:00Z
1
value 0.0706
scoring_system epss
scoring_elements 0.91495
published_at 2026-04-08T12:55:00Z
2
value 0.0706
scoring_system epss
scoring_elements 0.91524
published_at 2026-04-18T12:55:00Z
3
value 0.0706
scoring_system epss
scoring_elements 0.91482
published_at 2026-04-07T12:55:00Z
4
value 0.0706
scoring_system epss
scoring_elements 0.91467
published_at 2026-04-02T12:55:00Z
5
value 0.0706
scoring_system epss
scoring_elements 0.91473
published_at 2026-04-04T12:55:00Z
6
value 0.0706
scoring_system epss
scoring_elements 0.91529
published_at 2026-04-16T12:55:00Z
7
value 0.0706
scoring_system epss
scoring_elements 0.91508
published_at 2026-04-12T12:55:00Z
8
value 0.0706
scoring_system epss
scoring_elements 0.91506
published_at 2026-04-13T12:55:00Z
9
value 0.0706
scoring_system epss
scoring_elements 0.91501
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27280
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27280
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27280
3
reference_url http://seclists.org/fulldisclosure/2025/Sep/53
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2025/Sep/53
4
reference_url http://seclists.org/fulldisclosure/2025/Sep/54
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2025/Sep/54
5
reference_url http://seclists.org/fulldisclosure/2025/Sep/55
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2025/Sep/55
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/stringio/CVE-2024-27280.yml
8
reference_url https://github.com/ruby/stringio
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/stringio
9
reference_url https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/stringio/commit/0e596524097706263d10900ca180898e4a8f5233
10
reference_url https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8
11
reference_url https://hackerone.com/reports/1399856
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-09T18:08:05Z/
url https://hackerone.com/reports/1399856
12
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27280
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27280
16
reference_url https://security.netapp.com/advisory/ntap-20250502-0003
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250502-0003
17
reference_url https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280
18
reference_url https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-09T18:08:05Z/
url https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069966
reference_id 1069966
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069966
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2270750
reference_id 2270750
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2270750
21
reference_url https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
reference_id GHSA-v5h6-c2hv-hv3r
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v5h6-c2hv-hv3r
22
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
23
reference_url https://access.redhat.com/errata/RHSA-2024:3546
reference_id RHSA-2024:3546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3546
24
reference_url https://access.redhat.com/errata/RHSA-2024:3668
reference_id RHSA-2024:3668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3668
25
reference_url https://access.redhat.com/errata/RHSA-2024:3670
reference_id RHSA-2024:3670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3670
26
reference_url https://access.redhat.com/errata/RHSA-2024:3671
reference_id RHSA-2024:3671
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3671
27
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
28
reference_url https://access.redhat.com/errata/RHSA-2024:4499
reference_id RHSA-2024:4499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4499
29
reference_url https://usn.ubuntu.com/6853-1/
reference_id USN-6853-1
reference_type
scores
url https://usn.ubuntu.com/6853-1/
30
reference_url https://usn.ubuntu.com/7734-1/
reference_id USN-7734-1
reference_type
scores
url https://usn.ubuntu.com/7734-1/
fixed_packages
aliases CVE-2024-27280, GHSA-v5h6-c2hv-hv3r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5mfh-yzfk-cqaa
2
url VCID-9g2w-sc9w-eyce
vulnerability_id VCID-9g2w-sc9w-eyce
summary Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33621.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33621.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-33621
reference_id
reference_type
scores
0
value 0.01301
scoring_system epss
scoring_elements 0.79764
published_at 2026-04-21T12:55:00Z
1
value 0.01412
scoring_system epss
scoring_elements 0.80528
published_at 2026-04-13T12:55:00Z
2
value 0.01412
scoring_system epss
scoring_elements 0.8056
published_at 2026-04-18T12:55:00Z
3
value 0.01412
scoring_system epss
scoring_elements 0.80536
published_at 2026-04-12T12:55:00Z
4
value 0.01412
scoring_system epss
scoring_elements 0.8055
published_at 2026-04-11T12:55:00Z
5
value 0.01412
scoring_system epss
scoring_elements 0.80532
published_at 2026-04-09T12:55:00Z
6
value 0.01412
scoring_system epss
scoring_elements 0.80522
published_at 2026-04-08T12:55:00Z
7
value 0.01412
scoring_system epss
scoring_elements 0.80492
published_at 2026-04-07T12:55:00Z
8
value 0.01412
scoring_system epss
scoring_elements 0.80502
published_at 2026-04-04T12:55:00Z
9
value 0.01412
scoring_system epss
scoring_elements 0.80481
published_at 2026-04-02T12:55:00Z
10
value 0.01412
scoring_system epss
scoring_elements 0.80475
published_at 2026-04-01T12:55:00Z
11
value 0.01562
scoring_system epss
scoring_elements 0.81521
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-33621
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.yml
5
reference_url https://hackerone.com/reports/1204695
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1204695
6
reference_url https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html
7
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-33621
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-33621
15
reference_url https://security.gentoo.org/glsa/202401-27
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202401-27
16
reference_url https://security.netapp.com/advisory/ntap-20221228-0004
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221228-0004
17
reference_url https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621
18
reference_url https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements
url https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024799
reference_id 1024799
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024799
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2149706
reference_id 2149706
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2149706
21
reference_url https://github.com/advisories/GHSA-vc47-6rqg-c7f5
reference_id GHSA-vc47-6rqg-c7f5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vc47-6rqg-c7f5
22
reference_url https://access.redhat.com/errata/RHSA-2023:3291
reference_id RHSA-2023:3291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3291
23
reference_url https://access.redhat.com/errata/RHSA-2023:3821
reference_id RHSA-2023:3821
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3821
24
reference_url https://access.redhat.com/errata/RHSA-2023:7025
reference_id RHSA-2023:7025
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7025
25
reference_url https://access.redhat.com/errata/RHSA-2024:1431
reference_id RHSA-2024:1431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1431
26
reference_url https://access.redhat.com/errata/RHSA-2024:1576
reference_id RHSA-2024:1576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1576
27
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
28
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
29
reference_url https://access.redhat.com/errata/RHSA-2024:4542
reference_id RHSA-2024:4542
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4542
30
reference_url https://usn.ubuntu.com/5806-1/
reference_id USN-5806-1
reference_type
scores
url https://usn.ubuntu.com/5806-1/
31
reference_url https://usn.ubuntu.com/5806-2/
reference_id USN-5806-2
reference_type
scores
url https://usn.ubuntu.com/5806-2/
32
reference_url https://usn.ubuntu.com/5806-3/
reference_id USN-5806-3
reference_type
scores
url https://usn.ubuntu.com/5806-3/
33
reference_url https://usn.ubuntu.com/6181-1/
reference_id USN-6181-1
reference_type
scores
url https://usn.ubuntu.com/6181-1/
fixed_packages
aliases CVE-2021-33621, GHSA-vc47-6rqg-c7f5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9g2w-sc9w-eyce
3
url VCID-9x9w-2k98-wydm
vulnerability_id VCID-9x9w-2k98-wydm
summary 
Ruby Time component ReDoS issue
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28756.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28756.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28756
reference_id
reference_type
scores
0
value 0.00651
scoring_system epss
scoring_elements 0.70887
published_at 2026-04-21T12:55:00Z
1
value 0.00707
scoring_system epss
scoring_elements 0.72211
published_at 2026-04-18T12:55:00Z
2
value 0.00826
scoring_system epss
scoring_elements 0.74491
published_at 2026-04-11T12:55:00Z
3
value 0.00826
scoring_system epss
scoring_elements 0.74469
published_at 2026-04-09T12:55:00Z
4
value 0.00826
scoring_system epss
scoring_elements 0.74463
published_at 2026-04-13T12:55:00Z
5
value 0.00826
scoring_system epss
scoring_elements 0.74472
published_at 2026-04-12T12:55:00Z
6
value 0.00826
scoring_system epss
scoring_elements 0.74452
published_at 2026-04-08T12:55:00Z
7
value 0.00826
scoring_system epss
scoring_elements 0.74419
published_at 2026-04-07T12:55:00Z
8
value 0.00826
scoring_system epss
scoring_elements 0.74444
published_at 2026-04-04T12:55:00Z
9
value 0.00826
scoring_system epss
scoring_elements 0.74418
published_at 2026-04-02T12:55:00Z
10
value 0.00914
scoring_system epss
scoring_elements 0.75917
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28756
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28756
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28756
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/time
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/time
5
reference_url https://github.com/ruby/time/releases
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/time/releases
6
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
7
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
14
reference_url https://security.gentoo.org/glsa/202401-27
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://security.gentoo.org/glsa/202401-27
15
reference_url https://security.netapp.com/advisory/ntap-20230526-0004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230526-0004
16
reference_url https://www.ruby-lang.org/en/downloads/releases
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/downloads/releases
17
reference_url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
18
reference_url https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756
19
reference_url https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
20
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036283
reference_id 1036283
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036283
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038408
reference_id 1038408
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038408
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2184061
reference_id 2184061
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2184061
23
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28756
reference_id CVE-2023-28756
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28756
24
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
reference_id CVE-2023-28756.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
reference_id FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
26
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
reference_id G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
27
reference_url https://github.com/advisories/GHSA-fg7x-g82r-94qc
reference_id GHSA-fg7x-g82r-94qc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fg7x-g82r-94qc
28
reference_url https://security.netapp.com/advisory/ntap-20230526-0004/
reference_id ntap-20230526-0004
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://security.netapp.com/advisory/ntap-20230526-0004/
29
reference_url https://github.com/ruby/time/releases/
reference_id releases
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://github.com/ruby/time/releases/
30
reference_url https://www.ruby-lang.org/en/downloads/releases/
reference_id releases
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://www.ruby-lang.org/en/downloads/releases/
31
reference_url https://access.redhat.com/errata/RHSA-2023:3291
reference_id RHSA-2023:3291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3291
32
reference_url https://access.redhat.com/errata/RHSA-2023:3821
reference_id RHSA-2023:3821
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3821
33
reference_url https://access.redhat.com/errata/RHSA-2023:7025
reference_id RHSA-2023:7025
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7025
34
reference_url https://access.redhat.com/errata/RHSA-2024:1431
reference_id RHSA-2024:1431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1431
35
reference_url https://access.redhat.com/errata/RHSA-2024:1576
reference_id RHSA-2024:1576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1576
36
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
37
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
38
reference_url https://access.redhat.com/errata/RHSA-2026:7305
reference_id RHSA-2026:7305
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7305
39
reference_url https://access.redhat.com/errata/RHSA-2026:7307
reference_id RHSA-2026:7307
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7307
40
reference_url https://access.redhat.com/errata/RHSA-2026:8838
reference_id RHSA-2026:8838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8838
41
reference_url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
reference_id ruby-3-2-0-released
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
42
reference_url https://usn.ubuntu.com/6055-1/
reference_id USN-6055-1
reference_type
scores
url https://usn.ubuntu.com/6055-1/
43
reference_url https://usn.ubuntu.com/6087-1/
reference_id USN-6087-1
reference_type
scores
url https://usn.ubuntu.com/6087-1/
44
reference_url https://usn.ubuntu.com/6181-1/
reference_id USN-6181-1
reference_type
scores
url https://usn.ubuntu.com/6181-1/
45
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
reference_id WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_type
scores
0
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-26T19:59:50Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
fixed_packages
aliases CVE-2023-28756, GHSA-fg7x-g82r-94qc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9x9w-2k98-wydm
4
url VCID-ajtx-8w3u-rkae
vulnerability_id VCID-ajtx-8w3u-rkae
summary 
URI gem has ReDoS vulnerability
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`.

NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

[The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:
- For Ruby 3.0: Update to uri 0.10.3
- For Ruby 3.1 and 3.2: Update to uri 0.12.2.

You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36617.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36617.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36617
reference_id
reference_type
scores
0
value 0.00906
scoring_system epss
scoring_elements 0.75767
published_at 2026-04-21T12:55:00Z
1
value 0.00983
scoring_system epss
scoring_elements 0.76842
published_at 2026-04-16T12:55:00Z
2
value 0.00983
scoring_system epss
scoring_elements 0.76847
published_at 2026-04-18T12:55:00Z
3
value 0.00983
scoring_system epss
scoring_elements 0.76799
published_at 2026-04-13T12:55:00Z
4
value 0.00983
scoring_system epss
scoring_elements 0.76745
published_at 2026-04-02T12:55:00Z
5
value 0.00983
scoring_system epss
scoring_elements 0.76774
published_at 2026-04-04T12:55:00Z
6
value 0.00983
scoring_system epss
scoring_elements 0.76755
published_at 2026-04-07T12:55:00Z
7
value 0.00983
scoring_system epss
scoring_elements 0.76787
published_at 2026-04-08T12:55:00Z
8
value 0.00983
scoring_system epss
scoring_elements 0.76797
published_at 2026-04-09T12:55:00Z
9
value 0.00983
scoring_system epss
scoring_elements 0.76826
published_at 2026-04-11T12:55:00Z
10
value 0.00983
scoring_system epss
scoring_elements 0.76806
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36617
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36617
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36617
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/uri
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri
5
reference_url https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
6
reference_url https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
7
reference_url https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
8
reference_url https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
9
reference_url https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
10
reference_url https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
11
reference_url https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
12
reference_url https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
13
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
17
reference_url https://security.netapp.com/advisory/ntap-20230725-0002
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230725-0002
18
reference_url https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
19
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2218614
reference_id 2218614
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2218614
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36617
reference_id CVE-2023-36617
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36617
21
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
reference_id CVE-2023-36617.YML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
22
reference_url https://github.com/advisories/GHSA-hww2-5g85-429m
reference_id GHSA-hww2-5g85-429m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hww2-5g85-429m
23
reference_url https://access.redhat.com/errata/RHSA-2024:1431
reference_id RHSA-2024:1431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1431
24
reference_url https://access.redhat.com/errata/RHSA-2024:1576
reference_id RHSA-2024:1576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1576
25
reference_url https://access.redhat.com/errata/RHSA-2024:4499
reference_id RHSA-2024:4499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4499
26
reference_url https://usn.ubuntu.com/6219-1/
reference_id USN-6219-1
reference_type
scores
url https://usn.ubuntu.com/6219-1/
27
reference_url https://usn.ubuntu.com/7747-1/
reference_id USN-7747-1
reference_type
scores
url https://usn.ubuntu.com/7747-1/
fixed_packages
aliases CVE-2023-36617, GHSA-hww2-5g85-429m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ajtx-8w3u-rkae
5
url VCID-c5xq-bv4t-73ff
vulnerability_id VCID-c5xq-bv4t-73ff
summary 
REXML contains a denial of service vulnerability
### Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

### Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

### Workarounds

Don't parse untrusted XMLs.

### References

* https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35176.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35176.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-35176
reference_id
reference_type
scores
0
value 0.06399
scoring_system epss
scoring_elements 0.91056
published_at 2026-04-21T12:55:00Z
1
value 0.06902
scoring_system epss
scoring_elements 0.91418
published_at 2026-04-16T12:55:00Z
2
value 0.06902
scoring_system epss
scoring_elements 0.91393
published_at 2026-04-13T12:55:00Z
3
value 0.06902
scoring_system epss
scoring_elements 0.91391
published_at 2026-04-11T12:55:00Z
4
value 0.06902
scoring_system epss
scoring_elements 0.91384
published_at 2026-04-09T12:55:00Z
5
value 0.06902
scoring_system epss
scoring_elements 0.91377
published_at 2026-04-08T12:55:00Z
6
value 0.06902
scoring_system epss
scoring_elements 0.91414
published_at 2026-04-18T12:55:00Z
7
value 0.06902
scoring_system epss
scoring_elements 0.91365
published_at 2026-04-07T12:55:00Z
8
value 0.06902
scoring_system epss
scoring_elements 0.91358
published_at 2026-04-04T12:55:00Z
9
value 0.06902
scoring_system epss
scoring_elements 0.91347
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-35176
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35176
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35176
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/
url https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
6
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
7
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-35176
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-35176
9
reference_url https://security.netapp.com/advisory/ntap-20250306-0001
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250306-0001
10
reference_url https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/
url https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071626
reference_id 1071626
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071626
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2280894
reference_id 2280894
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2280894
13
reference_url https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
reference_id GHSA-vg3r-rm7w-2xgh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
14
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
15
reference_url https://access.redhat.com/errata/RHSA-2024:4499
reference_id RHSA-2024:4499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4499
16
reference_url https://access.redhat.com/errata/RHSA-2024:5338
reference_id RHSA-2024:5338
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5338
17
reference_url https://usn.ubuntu.com/7091-1/
reference_id USN-7091-1
reference_type
scores
url https://usn.ubuntu.com/7091-1/
18
reference_url https://usn.ubuntu.com/7091-2/
reference_id USN-7091-2
reference_type
scores
url https://usn.ubuntu.com/7091-2/
19
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
20
reference_url https://usn.ubuntu.com/7734-1/
reference_id USN-7734-1
reference_type
scores
url https://usn.ubuntu.com/7734-1/
21
reference_url https://usn.ubuntu.com/7840-1/
reference_id USN-7840-1
reference_type
scores
url https://usn.ubuntu.com/7840-1/
fixed_packages
aliases CVE-2024-35176, GHSA-vg3r-rm7w-2xgh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c5xq-bv4t-73ff
6
url VCID-exq5-cnrm-3uhd
vulnerability_id VCID-exq5-cnrm-3uhd
summary 
CGI has Denial of Service (DoS) potential in Cookie.parse
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.

## Details

CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.

Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

## Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

## Credits

Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27219.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27219.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27219
reference_id
reference_type
scores
0
value 0.00316
scoring_system epss
scoring_elements 0.54679
published_at 2026-04-18T12:55:00Z
1
value 0.00316
scoring_system epss
scoring_elements 0.54678
published_at 2026-04-16T12:55:00Z
2
value 0.00316
scoring_system epss
scoring_elements 0.5464
published_at 2026-04-13T12:55:00Z
3
value 0.00316
scoring_system epss
scoring_elements 0.54661
published_at 2026-04-12T12:55:00Z
4
value 0.00349
scoring_system epss
scoring_elements 0.57409
published_at 2026-04-21T12:55:00Z
5
value 0.00349
scoring_system epss
scoring_elements 0.57444
published_at 2026-04-11T12:55:00Z
6
value 0.00416
scoring_system epss
scoring_elements 0.6169
published_at 2026-04-09T12:55:00Z
7
value 0.00416
scoring_system epss
scoring_elements 0.61675
published_at 2026-04-08T12:55:00Z
8
value 0.00623
scoring_system epss
scoring_elements 0.70084
published_at 2026-04-07T12:55:00Z
9
value 0.00778
scoring_system epss
scoring_elements 0.73631
published_at 2026-04-04T12:55:00Z
10
value 0.00778
scoring_system epss
scoring_elements 0.73608
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27219
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27219
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27219
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/cgi
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi
5
reference_url https://github.com/ruby/cgi/pull/52
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/52
6
reference_url https://github.com/ruby/cgi/pull/53
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/53
7
reference_url https://github.com/ruby/cgi/pull/54
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/54
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:41:05Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml
9
reference_url https://hackerone.com/reports/2936778
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:41:05Z/
url https://hackerone.com/reports/2936778
10
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27219
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27219
12
reference_url https://www.cve.org/CVERecord?id=CVE-2025-27219
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-27219
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103792
reference_id 1103792
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103792
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349699
reference_id 2349699
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349699
15
reference_url https://github.com/advisories/GHSA-gh9q-2xrm-x6qv
reference_id GHSA-gh9q-2xrm-x6qv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gh9q-2xrm-x6qv
16
reference_url https://access.redhat.com/errata/RHSA-2025:10217
reference_id RHSA-2025:10217
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:10217
17
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
18
reference_url https://access.redhat.com/errata/RHSA-2025:4487
reference_id RHSA-2025:4487
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4487
19
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
20
reference_url https://access.redhat.com/errata/RHSA-2025:4493
reference_id RHSA-2025:4493
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4493
21
reference_url https://access.redhat.com/errata/RHSA-2025:8131
reference_id RHSA-2025:8131
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8131
22
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
23
reference_url https://usn.ubuntu.com/7442-1/
reference_id USN-7442-1
reference_type
scores
url https://usn.ubuntu.com/7442-1/
fixed_packages
aliases CVE-2025-27219, GHSA-gh9q-2xrm-x6qv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-exq5-cnrm-3uhd
7
url VCID-h4mf-99f4-9bdw
vulnerability_id VCID-h4mf-99f4-9bdw
summary 
CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.

## Details

The regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.

This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

## Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

## Credits

Thanks to svalkanov for discovering this issue.
Also thanks to nobu for fixing this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27220.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27220.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27220
reference_id
reference_type
scores
0
value 0.00181
scoring_system epss
scoring_elements 0.39827
published_at 2026-04-18T12:55:00Z
1
value 0.00181
scoring_system epss
scoring_elements 0.39855
published_at 2026-04-16T12:55:00Z
2
value 0.00181
scoring_system epss
scoring_elements 0.39805
published_at 2026-04-13T12:55:00Z
3
value 0.00181
scoring_system epss
scoring_elements 0.39822
published_at 2026-04-12T12:55:00Z
4
value 0.002
scoring_system epss
scoring_elements 0.42161
published_at 2026-04-11T12:55:00Z
5
value 0.00253
scoring_system epss
scoring_elements 0.48634
published_at 2026-04-21T12:55:00Z
6
value 0.00282
scoring_system epss
scoring_elements 0.51609
published_at 2026-04-09T12:55:00Z
7
value 0.00282
scoring_system epss
scoring_elements 0.51613
published_at 2026-04-08T12:55:00Z
8
value 0.00483
scoring_system epss
scoring_elements 0.65173
published_at 2026-04-07T12:55:00Z
9
value 0.00566
scoring_system epss
scoring_elements 0.68425
published_at 2026-04-04T12:55:00Z
10
value 0.00566
scoring_system epss
scoring_elements 0.68405
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27220
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27220
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27220
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/cgi
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi
5
reference_url https://github.com/ruby/cgi/pull/52
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/52
6
reference_url https://github.com/ruby/cgi/pull/53
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/53
7
reference_url https://github.com/ruby/cgi/pull/54
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/cgi/pull/54
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:39:36Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
9
reference_url https://hackerone.com/reports/2890322
reference_id
reference_type
scores
0
value 4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:39:36Z/
url https://hackerone.com/reports/2890322
10
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27220
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27220
12
reference_url https://www.cve.org/CVERecord?id=CVE-2025-27220
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3
scoring_elements
1
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-27220
13
reference_url https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103793
reference_id 1103793
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103793
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349696
reference_id 2349696
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349696
16
reference_url https://github.com/advisories/GHSA-mhwm-jh88-3gjf
reference_id GHSA-mhwm-jh88-3gjf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhwm-jh88-3gjf
17
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
18
reference_url https://access.redhat.com/errata/RHSA-2025:4487
reference_id RHSA-2025:4487
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4487
19
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
20
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
21
reference_url https://usn.ubuntu.com/7442-1/
reference_id USN-7442-1
reference_type
scores
url https://usn.ubuntu.com/7442-1/
fixed_packages
aliases CVE-2025-27220, GHSA-mhwm-jh88-3gjf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h4mf-99f4-9bdw
8
url VCID-jdtw-bn8z-e3b6
vulnerability_id VCID-jdtw-bn8z-e3b6
summary 
REXML denial of service vulnerability
### Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

### Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

### Workarounds

Don't parse untrusted XMLs with tree parser API.

### References

* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43398.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43398.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-43398
reference_id
reference_type
scores
0
value 0.01135
scoring_system epss
scoring_elements 0.78401
published_at 2026-04-18T12:55:00Z
1
value 0.01135
scoring_system epss
scoring_elements 0.78402
published_at 2026-04-16T12:55:00Z
2
value 0.01135
scoring_system epss
scoring_elements 0.78373
published_at 2026-04-13T12:55:00Z
3
value 0.01135
scoring_system epss
scoring_elements 0.7838
published_at 2026-04-12T12:55:00Z
4
value 0.01135
scoring_system epss
scoring_elements 0.78325
published_at 2026-04-02T12:55:00Z
5
value 0.01135
scoring_system epss
scoring_elements 0.78397
published_at 2026-04-11T12:55:00Z
6
value 0.01135
scoring_system epss
scoring_elements 0.78371
published_at 2026-04-09T12:55:00Z
7
value 0.01135
scoring_system epss
scoring_elements 0.78365
published_at 2026-04-08T12:55:00Z
8
value 0.01135
scoring_system epss
scoring_elements 0.78339
published_at 2026-04-07T12:55:00Z
9
value 0.01135
scoring_system epss
scoring_elements 0.78356
published_at 2026-04-04T12:55:00Z
10
value 0.01167
scoring_system epss
scoring_elements 0.78661
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-43398
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43398
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43398
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
6
reference_url https://github.com/ruby/rexml/releases/tag/v3.3.6
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T14:43:15Z/
url https://github.com/ruby/rexml/releases/tag/v3.3.6
7
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements
1
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-22T14:43:15Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml
9
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-43398
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-43398
11
reference_url https://security.netapp.com/advisory/ntap-20250103-0006
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250103-0006
12
reference_url https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
reference_id 1083190
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2307297
reference_id 2307297
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2307297
15
reference_url https://github.com/advisories/GHSA-vmwr-mc7x-5vc3
reference_id GHSA-vmwr-mc7x-5vc3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vmwr-mc7x-5vc3
16
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
17
reference_url https://access.redhat.com/errata/RHSA-2024:6670
reference_id RHSA-2024:6670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6670
18
reference_url https://access.redhat.com/errata/RHSA-2024:6702
reference_id RHSA-2024:6702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6702
19
reference_url https://access.redhat.com/errata/RHSA-2024:6703
reference_id RHSA-2024:6703
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6703
20
reference_url https://access.redhat.com/errata/RHSA-2024:6784
reference_id RHSA-2024:6784
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6784
21
reference_url https://access.redhat.com/errata/RHSA-2024:6785
reference_id RHSA-2024:6785
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6785
22
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
23
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
24
reference_url https://usn.ubuntu.com/7256-1/
reference_id USN-7256-1
reference_type
scores
url https://usn.ubuntu.com/7256-1/
25
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
fixed_packages
aliases CVE-2024-43398, GHSA-vmwr-mc7x-5vc3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jdtw-bn8z-e3b6
9
url VCID-m4a8-ya4v-tkgm
vulnerability_id VCID-m4a8-ya4v-tkgm
summary 
RDoc RCE vulnerability with .rdoc_options
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

* For Ruby 3.0 users: Update to `rdoc` 6.3.4.1
* For Ruby 3.1 users: Update to `rdoc` 6.4.1.1
* For Ruby 3.2 users: Update to `rdoc` 6.5.1.1

You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`.

Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27281.json
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27281.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27281
reference_id
reference_type
scores
0
value 0.02273
scoring_system epss
scoring_elements 0.8468
published_at 2026-04-21T12:55:00Z
1
value 0.02463
scoring_system epss
scoring_elements 0.85249
published_at 2026-04-13T12:55:00Z
2
value 0.02463
scoring_system epss
scoring_elements 0.8527
published_at 2026-04-18T12:55:00Z
3
value 0.02463
scoring_system epss
scoring_elements 0.85254
published_at 2026-04-11T12:55:00Z
4
value 0.02463
scoring_system epss
scoring_elements 0.85252
published_at 2026-04-12T12:55:00Z
5
value 0.02463
scoring_system epss
scoring_elements 0.85269
published_at 2026-04-16T12:55:00Z
6
value 0.02463
scoring_system epss
scoring_elements 0.8519
published_at 2026-04-02T12:55:00Z
7
value 0.02463
scoring_system epss
scoring_elements 0.85208
published_at 2026-04-04T12:55:00Z
8
value 0.02463
scoring_system epss
scoring_elements 0.8521
published_at 2026-04-07T12:55:00Z
9
value 0.02463
scoring_system epss
scoring_elements 0.85231
published_at 2026-04-08T12:55:00Z
10
value 0.02463
scoring_system epss
scoring_elements 0.8524
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27281
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27281
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27281
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rdoc
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc
5
reference_url https://github.com/ruby/rdoc/commit/1254b0066f312ddbf7fae7a195e66ce5b3bc6656
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/1254b0066f312ddbf7fae7a195e66ce5b3bc6656
6
reference_url https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644
7
reference_url https://github.com/ruby/rdoc/commit/48617985e9fbc2825219d55f04e3e0e98d2923be
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/48617985e9fbc2825219d55f04e3e0e98d2923be
8
reference_url https://github.com/ruby/rdoc/commit/811f125a4a0cc968e3eb18e16ea6c1a3b49a11bf
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/811f125a4a0cc968e3eb18e16ea6c1a3b49a11bf
9
reference_url https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e
10
reference_url https://github.com/ruby/rdoc/commit/d22ba930f1f611dda531dba04cd3d2531bb3f8a5
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/d22ba930f1f611dda531dba04cd3d2531bb3f8a5
11
reference_url https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d
12
reference_url https://github.com/ruby/rdoc/commit/e4a0e71e6f1032f8b4e5e58b4ef60d702c22ce17
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rdoc/commit/e4a0e71e6f1032f8b4e5e58b4ef60d702c22ce17
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2024-27281.yml
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rdoc/CVE-2024-27281.yml
14
reference_url https://hackerone.com/reports/1187477
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T13:50:49Z/
url https://hackerone.com/reports/1187477
15
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-27281
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-27281
19
reference_url https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281
20
reference_url https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
reference_id
reference_type
scores
0
value 4.5
scoring_system cvssv3
scoring_elements
1
value 4.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T13:50:49Z/
url https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
21
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067803
reference_id 1067803
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067803
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2270749
reference_id 2270749
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2270749
23
reference_url https://github.com/advisories/GHSA-592j-995h-p23j
reference_id GHSA-592j-995h-p23j
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-592j-995h-p23j
24
reference_url https://security.gentoo.org/glsa/202406-03
reference_id GLSA-202406-03
reference_type
scores
url https://security.gentoo.org/glsa/202406-03
25
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
26
reference_url https://access.redhat.com/errata/RHSA-2024:3546
reference_id RHSA-2024:3546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3546
27
reference_url https://access.redhat.com/errata/RHSA-2024:3668
reference_id RHSA-2024:3668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3668
28
reference_url https://access.redhat.com/errata/RHSA-2024:3670
reference_id RHSA-2024:3670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3670
29
reference_url https://access.redhat.com/errata/RHSA-2024:3671
reference_id RHSA-2024:3671
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3671
30
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
31
reference_url https://access.redhat.com/errata/RHSA-2024:4499
reference_id RHSA-2024:4499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4499
32
reference_url https://usn.ubuntu.com/6838-1/
reference_id USN-6838-1
reference_type
scores
url https://usn.ubuntu.com/6838-1/
33
reference_url https://usn.ubuntu.com/6838-2/
reference_id USN-6838-2
reference_type
scores
url https://usn.ubuntu.com/6838-2/
fixed_packages
aliases CVE-2024-27281, GHSA-592j-995h-p23j
risk_score 2.0
exploitability 0.5
weighted_severity 4.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m4a8-ya4v-tkgm
10
url VCID-m6hy-vnf9-hyfe
vulnerability_id VCID-m6hy-vnf9-hyfe
summary 
REXML DoS vulnerability
### Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

### Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

### Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

### References

* https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41946.json
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41946.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41946
reference_id
reference_type
scores
0
value 0.00661
scoring_system epss
scoring_elements 0.71127
published_at 2026-04-09T12:55:00Z
1
value 0.00661
scoring_system epss
scoring_elements 0.71119
published_at 2026-04-13T12:55:00Z
2
value 0.00661
scoring_system epss
scoring_elements 0.71135
published_at 2026-04-12T12:55:00Z
3
value 0.00661
scoring_system epss
scoring_elements 0.7115
published_at 2026-04-11T12:55:00Z
4
value 0.00661
scoring_system epss
scoring_elements 0.71114
published_at 2026-04-08T12:55:00Z
5
value 0.00661
scoring_system epss
scoring_elements 0.71072
published_at 2026-04-07T12:55:00Z
6
value 0.00661
scoring_system epss
scoring_elements 0.71097
published_at 2026-04-04T12:55:00Z
7
value 0.00661
scoring_system epss
scoring_elements 0.7108
published_at 2026-04-02T12:55:00Z
8
value 0.00661
scoring_system epss
scoring_elements 0.71172
published_at 2026-04-18T12:55:00Z
9
value 0.00661
scoring_system epss
scoring_elements 0.71165
published_at 2026-04-16T12:55:00Z
10
value 0.00679
scoring_system epss
scoring_elements 0.71584
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41946
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41946
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41946
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/
url https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
6
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41946
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41946
10
reference_url https://security.netapp.com/advisory/ntap-20250117-0007
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250117-0007
11
reference_url https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/
url https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
12
reference_url https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T15:45:10Z/
url https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
reference_id 1083190
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2302272
reference_id 2302272
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2302272
15
reference_url https://github.com/advisories/GHSA-5866-49gr-22v4
reference_id GHSA-5866-49gr-22v4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5866-49gr-22v4
16
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
17
reference_url https://access.redhat.com/errata/RHSA-2024:6670
reference_id RHSA-2024:6670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6670
18
reference_url https://access.redhat.com/errata/RHSA-2024:6702
reference_id RHSA-2024:6702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6702
19
reference_url https://access.redhat.com/errata/RHSA-2024:6703
reference_id RHSA-2024:6703
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6703
20
reference_url https://access.redhat.com/errata/RHSA-2024:6784
reference_id RHSA-2024:6784
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6784
21
reference_url https://access.redhat.com/errata/RHSA-2024:6785
reference_id RHSA-2024:6785
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6785
22
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
23
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
24
reference_url https://usn.ubuntu.com/7091-1/
reference_id USN-7091-1
reference_type
scores
url https://usn.ubuntu.com/7091-1/
25
reference_url https://usn.ubuntu.com/7091-2/
reference_id USN-7091-2
reference_type
scores
url https://usn.ubuntu.com/7091-2/
26
reference_url https://usn.ubuntu.com/7840-1/
reference_id USN-7840-1
reference_type
scores
url https://usn.ubuntu.com/7840-1/
fixed_packages
aliases CVE-2024-41946, GHSA-5866-49gr-22v4
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m6hy-vnf9-hyfe
11
url VCID-msc8-xjz2-2kb4
vulnerability_id VCID-msc8-xjz2-2kb4
summary 
REXML ReDoS vulnerability
### Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

### Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

### Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

### References

* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49761.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49761.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-49761
reference_id
reference_type
scores
0
value 0.00899
scoring_system epss
scoring_elements 0.75696
published_at 2026-04-18T12:55:00Z
1
value 0.00899
scoring_system epss
scoring_elements 0.75693
published_at 2026-04-16T12:55:00Z
2
value 0.00899
scoring_system epss
scoring_elements 0.75661
published_at 2026-04-12T12:55:00Z
3
value 0.00899
scoring_system epss
scoring_elements 0.7568
published_at 2026-04-11T12:55:00Z
4
value 0.00899
scoring_system epss
scoring_elements 0.75644
published_at 2026-04-08T12:55:00Z
5
value 0.00899
scoring_system epss
scoring_elements 0.75599
published_at 2026-04-02T12:55:00Z
6
value 0.00899
scoring_system epss
scoring_elements 0.7563
published_at 2026-04-04T12:55:00Z
7
value 0.00899
scoring_system epss
scoring_elements 0.75655
published_at 2026-04-13T12:55:00Z
8
value 0.00899
scoring_system epss
scoring_elements 0.7561
published_at 2026-04-07T12:55:00Z
9
value 0.0169
scoring_system epss
scoring_elements 0.82264
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-49761
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49761
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49761
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/
url https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
6
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-49761.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-49761
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-49761
10
reference_url https://security.netapp.com/advisory/ntap-20241227-0004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241227-0004
11
reference_url https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-28T14:57:03Z/
url https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103790
reference_id 1103790
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103790
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2322153
reference_id 2322153
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2322153
14
reference_url https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
reference_id GHSA-2rxp-v6pw-ch6m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
15
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
16
reference_url https://access.redhat.com/errata/RHSA-2024:10777
reference_id RHSA-2024:10777
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10777
17
reference_url https://access.redhat.com/errata/RHSA-2024:10834
reference_id RHSA-2024:10834
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10834
18
reference_url https://access.redhat.com/errata/RHSA-2024:10850
reference_id RHSA-2024:10850
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10850
19
reference_url https://access.redhat.com/errata/RHSA-2024:10858
reference_id RHSA-2024:10858
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10858
20
reference_url https://access.redhat.com/errata/RHSA-2024:10860
reference_id RHSA-2024:10860
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10860
21
reference_url https://access.redhat.com/errata/RHSA-2024:10961
reference_id RHSA-2024:10961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10961
22
reference_url https://access.redhat.com/errata/RHSA-2024:10964
reference_id RHSA-2024:10964
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10964
23
reference_url https://access.redhat.com/errata/RHSA-2024:10966
reference_id RHSA-2024:10966
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10966
24
reference_url https://access.redhat.com/errata/RHSA-2024:10977
reference_id RHSA-2024:10977
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10977
25
reference_url https://access.redhat.com/errata/RHSA-2024:10982
reference_id RHSA-2024:10982
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10982
26
reference_url https://access.redhat.com/errata/RHSA-2024:10984
reference_id RHSA-2024:10984
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10984
27
reference_url https://access.redhat.com/errata/RHSA-2024:11001
reference_id RHSA-2024:11001
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11001
28
reference_url https://access.redhat.com/errata/RHSA-2024:11027
reference_id RHSA-2024:11027
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11027
29
reference_url https://access.redhat.com/errata/RHSA-2024:11028
reference_id RHSA-2024:11028
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11028
30
reference_url https://access.redhat.com/errata/RHSA-2024:11029
reference_id RHSA-2024:11029
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:11029
31
reference_url https://access.redhat.com/errata/RHSA-2025:11047
reference_id RHSA-2025:11047
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11047
32
reference_url https://access.redhat.com/errata/RHSA-2025:12499
reference_id RHSA-2025:12499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:12499
33
reference_url https://access.redhat.com/errata/RHSA-2025:13269
reference_id RHSA-2025:13269
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:13269
34
reference_url https://access.redhat.com/errata/RHSA-2025:13307
reference_id RHSA-2025:13307
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:13307
35
reference_url https://access.redhat.com/errata/RHSA-2025:15124
reference_id RHSA-2025:15124
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:15124
36
reference_url https://access.redhat.com/errata/RHSA-2025:15371
reference_id RHSA-2025:15371
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:15371
37
reference_url https://access.redhat.com/errata/RHSA-2025:17614
reference_id RHSA-2025:17614
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17614
38
reference_url https://usn.ubuntu.com/7091-1/
reference_id USN-7091-1
reference_type
scores
url https://usn.ubuntu.com/7091-1/
39
reference_url https://usn.ubuntu.com/7091-2/
reference_id USN-7091-2
reference_type
scores
url https://usn.ubuntu.com/7091-2/
40
reference_url https://usn.ubuntu.com/7442-1/
reference_id USN-7442-1
reference_type
scores
url https://usn.ubuntu.com/7442-1/
fixed_packages
aliases CVE-2024-49761, GHSA-2rxp-v6pw-ch6m
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-msc8-xjz2-2kb4
12
url VCID-n1ja-n53g-fycm
vulnerability_id VCID-n1ja-n53g-fycm
summary 
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
There is a possibility for userinfo leakage by in the uri gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.

## Details

The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.

Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.

## Affected versions

uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.

## Credits

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27221.json
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27221.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27221
reference_id
reference_type
scores
0
value 0.00038
scoring_system epss
scoring_elements 0.11384
published_at 2026-04-02T12:55:00Z
1
value 0.00038
scoring_system epss
scoring_elements 0.1144
published_at 2026-04-04T12:55:00Z
2
value 0.00118
scoring_system epss
scoring_elements 0.30715
published_at 2026-04-07T12:55:00Z
3
value 0.00137
scoring_system epss
scoring_elements 0.33592
published_at 2026-04-16T12:55:00Z
4
value 0.00137
scoring_system epss
scoring_elements 0.33558
published_at 2026-04-13T12:55:00Z
5
value 0.00137
scoring_system epss
scoring_elements 0.33581
published_at 2026-04-12T12:55:00Z
6
value 0.00137
scoring_system epss
scoring_elements 0.33568
published_at 2026-04-18T12:55:00Z
7
value 0.00152
scoring_system epss
scoring_elements 0.35907
published_at 2026-04-11T12:55:00Z
8
value 0.00166
scoring_system epss
scoring_elements 0.37709
published_at 2026-04-09T12:55:00Z
9
value 0.00166
scoring_system epss
scoring_elements 0.37695
published_at 2026-04-08T12:55:00Z
10
value 0.00173
scoring_system epss
scoring_elements 0.38651
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27221
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27221
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27221
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:38:46Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml
5
reference_url https://github.com/ruby/uri
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri
6
reference_url https://github.com/ruby/uri/pull/154
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/pull/154
7
reference_url https://github.com/ruby/uri/pull/155
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/pull/155
8
reference_url https://github.com/ruby/uri/pull/156
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/pull/156
9
reference_url https://github.com/ruby/uri/pull/157
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/pull/157
10
reference_url https://hackerone.com/reports/2957667
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-04T16:38:46Z/
url https://hackerone.com/reports/2957667
11
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
12
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27221
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27221
14
reference_url https://www.cve.org/CVERecord?id=CVE-2025-27221
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-27221
15
reference_url https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
reference_id
reference_type
scores
0
value 3.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103794
reference_id 1103794
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103794
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349700
reference_id 2349700
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349700
18
reference_url https://github.com/advisories/GHSA-22h5-pq3x-2gf2
reference_id GHSA-22h5-pq3x-2gf2
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-22h5-pq3x-2gf2
19
reference_url https://access.redhat.com/errata/RHSA-2025:10217
reference_id RHSA-2025:10217
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:10217
20
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
21
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
22
reference_url https://access.redhat.com/errata/RHSA-2025:4493
reference_id RHSA-2025:4493
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4493
23
reference_url https://access.redhat.com/errata/RHSA-2025:8131
reference_id RHSA-2025:8131
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8131
24
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
25
reference_url https://usn.ubuntu.com/7442-1/
reference_id USN-7442-1
reference_type
scores
url https://usn.ubuntu.com/7442-1/
fixed_packages
aliases CVE-2025-27221, GHSA-22h5-pq3x-2gf2
risk_score 1.6
exploitability 0.5
weighted_severity 3.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n1ja-n53g-fycm
13
url VCID-qu1w-yd76-t7c1
vulnerability_id VCID-qu1w-yd76-t7c1
summary 
REXML denial of service vulnerability
### Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

### Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

### Workarounds

Don't parse untrusted XMLs.

### References

* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39908.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39908.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39908
reference_id
reference_type
scores
0
value 0.06685
scoring_system epss
scoring_elements 0.9126
published_at 2026-04-18T12:55:00Z
1
value 0.06685
scoring_system epss
scoring_elements 0.91261
published_at 2026-04-16T12:55:00Z
2
value 0.06685
scoring_system epss
scoring_elements 0.91227
published_at 2026-04-09T12:55:00Z
3
value 0.06685
scoring_system epss
scoring_elements 0.91234
published_at 2026-04-11T12:55:00Z
4
value 0.06685
scoring_system epss
scoring_elements 0.91221
published_at 2026-04-08T12:55:00Z
5
value 0.06685
scoring_system epss
scoring_elements 0.91207
published_at 2026-04-07T12:55:00Z
6
value 0.06685
scoring_system epss
scoring_elements 0.912
published_at 2026-04-04T12:55:00Z
7
value 0.06685
scoring_system epss
scoring_elements 0.91192
published_at 2026-04-02T12:55:00Z
8
value 0.06685
scoring_system epss
scoring_elements 0.91237
published_at 2026-04-13T12:55:00Z
9
value 0.06685
scoring_system epss
scoring_elements 0.91238
published_at 2026-04-12T12:55:00Z
10
value 0.08032
scoring_system epss
scoring_elements 0.92124
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39908
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39908
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39908
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/releases/tag/v3.3.2
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml/releases/tag/v3.3.2
6
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:58:11Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-39908.yml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-39908.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39908
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39908
10
reference_url https://security.netapp.com/advisory/ntap-20250117-0008
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250117-0008
11
reference_url https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:58:11Z/
url https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076766
reference_id 1076766
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076766
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076768
reference_id 1076768
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076768
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2298243
reference_id 2298243
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2298243
15
reference_url https://github.com/advisories/GHSA-4xqq-m2hx-25v8
reference_id GHSA-4xqq-m2hx-25v8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4xqq-m2hx-25v8
16
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
17
reference_url https://access.redhat.com/errata/RHSA-2024:6784
reference_id RHSA-2024:6784
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6784
18
reference_url https://access.redhat.com/errata/RHSA-2024:6785
reference_id RHSA-2024:6785
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6785
19
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
20
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
21
reference_url https://usn.ubuntu.com/7091-1/
reference_id USN-7091-1
reference_type
scores
url https://usn.ubuntu.com/7091-1/
22
reference_url https://usn.ubuntu.com/7256-1/
reference_id USN-7256-1
reference_type
scores
url https://usn.ubuntu.com/7256-1/
23
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
24
reference_url https://usn.ubuntu.com/7840-1/
reference_id USN-7840-1
reference_type
scores
url https://usn.ubuntu.com/7840-1/
fixed_packages
aliases CVE-2024-39908, GHSA-4xqq-m2hx-25v8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qu1w-yd76-t7c1
14
url VCID-uxdx-abx7-fkdy
vulnerability_id VCID-uxdx-abx7-fkdy
summary 
Ruby URI component ReDoS issue
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28755.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28755.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-28755
reference_id
reference_type
scores
0
value 0.00322
scoring_system epss
scoring_elements 0.55239
published_at 2026-04-02T12:55:00Z
1
value 0.00322
scoring_system epss
scoring_elements 0.55265
published_at 2026-04-13T12:55:00Z
2
value 0.00322
scoring_system epss
scoring_elements 0.55283
published_at 2026-04-12T12:55:00Z
3
value 0.00322
scoring_system epss
scoring_elements 0.55304
published_at 2026-04-11T12:55:00Z
4
value 0.00322
scoring_system epss
scoring_elements 0.55292
published_at 2026-04-09T12:55:00Z
5
value 0.00322
scoring_system epss
scoring_elements 0.55291
published_at 2026-04-08T12:55:00Z
6
value 0.00322
scoring_system epss
scoring_elements 0.55241
published_at 2026-04-07T12:55:00Z
7
value 0.00322
scoring_system epss
scoring_elements 0.55263
published_at 2026-04-04T12:55:00Z
8
value 0.00337
scoring_system epss
scoring_elements 0.56541
published_at 2026-04-21T12:55:00Z
9
value 0.00357
scoring_system epss
scoring_elements 0.57963
published_at 2026-04-16T12:55:00Z
10
value 0.00366
scoring_system epss
scoring_elements 0.58615
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-28755
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28755
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28755
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/uri
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri
5
reference_url https://github.com/ruby/uri/releases
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/uri/releases
6
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
7
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
8
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
18
reference_url https://security.gentoo.org/glsa/202401-27
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://security.gentoo.org/glsa/202401-27
19
reference_url https://security.netapp.com/advisory/ntap-20230526-0003
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230526-0003
20
reference_url https://www.ruby-lang.org/en/downloads/releases
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/downloads/releases
21
reference_url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released
22
reference_url https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755
23
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036283
reference_id 1036283
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036283
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038408
reference_id 1038408
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038408
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2184059
reference_id 2184059
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2184059
26
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
reference_id 27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
27
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-28755
reference_id CVE-2023-28755
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-28755
28
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.yml
reference_id CVE-2023-28755.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.yml
29
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
reference_id FFZANOQA4RYX7XCB42OO3P24DQKWHEKA
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
30
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
reference_id G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
31
reference_url https://github.com/advisories/GHSA-hv5j-3h9f-99c2
reference_id GHSA-hv5j-3h9f-99c2
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hv5j-3h9f-99c2
32
reference_url https://security.netapp.com/advisory/ntap-20230526-0003/
reference_id ntap-20230526-0003
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://security.netapp.com/advisory/ntap-20230526-0003/
33
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
reference_id QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/
34
reference_url https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
reference_id redos-in-uri-cve-2023-28755
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
35
reference_url https://github.com/ruby/uri/releases/
reference_id releases
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://github.com/ruby/uri/releases/
36
reference_url https://www.ruby-lang.org/en/downloads/releases/
reference_id releases
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://www.ruby-lang.org/en/downloads/releases/
37
reference_url https://access.redhat.com/errata/RHSA-2023:3291
reference_id RHSA-2023:3291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3291
38
reference_url https://access.redhat.com/errata/RHSA-2023:3821
reference_id RHSA-2023:3821
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3821
39
reference_url https://access.redhat.com/errata/RHSA-2023:7025
reference_id RHSA-2023:7025
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7025
40
reference_url https://access.redhat.com/errata/RHSA-2024:1431
reference_id RHSA-2024:1431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1431
41
reference_url https://access.redhat.com/errata/RHSA-2024:1576
reference_id RHSA-2024:1576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1576
42
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
43
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
44
reference_url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
reference_id ruby-3-2-0-released
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
45
reference_url https://usn.ubuntu.com/6055-1/
reference_id USN-6055-1
reference_type
scores
url https://usn.ubuntu.com/6055-1/
46
reference_url https://usn.ubuntu.com/6055-2/
reference_id USN-6055-2
reference_type
scores
url https://usn.ubuntu.com/6055-2/
47
reference_url https://usn.ubuntu.com/6087-1/
reference_id USN-6087-1
reference_type
scores
url https://usn.ubuntu.com/6087-1/
48
reference_url https://usn.ubuntu.com/6181-1/
reference_id USN-6181-1
reference_type
scores
url https://usn.ubuntu.com/6181-1/
49
reference_url https://usn.ubuntu.com/6219-1/
reference_id USN-6219-1
reference_type
scores
url https://usn.ubuntu.com/6219-1/
50
reference_url https://usn.ubuntu.com/7735-1/
reference_id USN-7735-1
reference_type
scores
url https://usn.ubuntu.com/7735-1/
51
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
reference_id WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:38:26Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
fixed_packages
aliases CVE-2023-28755, GHSA-hv5j-3h9f-99c2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uxdx-abx7-fkdy
15
url VCID-x126-x9qm-e7d3
vulnerability_id VCID-x126-x9qm-e7d3
summary ruby: Arbitrary memory address read vulnerability with Regex search
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27282.json
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27282.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-27282
reference_id
reference_type
scores
0
value 0.0057
scoring_system epss
scoring_elements 0.68642
published_at 2026-04-21T12:55:00Z
1
value 0.00619
scoring_system epss
scoring_elements 0.70042
published_at 2026-04-11T12:55:00Z
2
value 0.00619
scoring_system epss
scoring_elements 0.70066
published_at 2026-04-18T12:55:00Z
3
value 0.00619
scoring_system epss
scoring_elements 0.70057
published_at 2026-04-16T12:55:00Z
4
value 0.00619
scoring_system epss
scoring_elements 0.70013
published_at 2026-04-13T12:55:00Z
5
value 0.00619
scoring_system epss
scoring_elements 0.70027
published_at 2026-04-12T12:55:00Z
6
value 0.00619
scoring_system epss
scoring_elements 0.69962
published_at 2026-04-02T12:55:00Z
7
value 0.00619
scoring_system epss
scoring_elements 0.69977
published_at 2026-04-04T12:55:00Z
8
value 0.00619
scoring_system epss
scoring_elements 0.69954
published_at 2026-04-07T12:55:00Z
9
value 0.00619
scoring_system epss
scoring_elements 0.70002
published_at 2026-04-08T12:55:00Z
10
value 0.00619
scoring_system epss
scoring_elements 0.70018
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-27282
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27282
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27282
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3
scoring_elements
1
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T18:26:58Z/
url https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069969
reference_id 1069969
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069969
6
reference_url https://hackerone.com/reports/2122624
reference_id 2122624
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T18:26:58Z/
url https://hackerone.com/reports/2122624
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2276810
reference_id 2276810
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2276810
8
reference_url https://access.redhat.com/errata/RHSA-2024:3500
reference_id RHSA-2024:3500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3500
9
reference_url https://access.redhat.com/errata/RHSA-2024:3546
reference_id RHSA-2024:3546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3546
10
reference_url https://access.redhat.com/errata/RHSA-2024:3668
reference_id RHSA-2024:3668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3668
11
reference_url https://access.redhat.com/errata/RHSA-2024:3670
reference_id RHSA-2024:3670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3670
12
reference_url https://access.redhat.com/errata/RHSA-2024:3671
reference_id RHSA-2024:3671
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3671
13
reference_url https://access.redhat.com/errata/RHSA-2024:3838
reference_id RHSA-2024:3838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3838
14
reference_url https://access.redhat.com/errata/RHSA-2024:4499
reference_id RHSA-2024:4499
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4499
15
reference_url https://access.redhat.com/errata/RHSA-2026:7305
reference_id RHSA-2026:7305
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7305
16
reference_url https://access.redhat.com/errata/RHSA-2026:7307
reference_id RHSA-2026:7307
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:7307
17
reference_url https://access.redhat.com/errata/RHSA-2026:8838
reference_id RHSA-2026:8838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8838
18
reference_url https://usn.ubuntu.com/6838-1/
reference_id USN-6838-1
reference_type
scores
url https://usn.ubuntu.com/6838-1/
19
reference_url https://usn.ubuntu.com/7734-1/
reference_id USN-7734-1
reference_type
scores
url https://usn.ubuntu.com/7734-1/
fixed_packages
aliases CVE-2024-27282, GHSA-63cq-cj6g-qfr2
risk_score 3.0
exploitability 0.5
weighted_severity 5.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x126-x9qm-e7d3
16
url VCID-yj1t-rga1-x3ev
vulnerability_id VCID-yj1t-rga1-x3ev
summary 
REXML DoS vulnerability
### Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

### Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

### Workarounds

Don't parse untrusted XMLs.

### References

* https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
* https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
* https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41123.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-41123.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-41123
reference_id
reference_type
scores
0
value 0.00232
scoring_system epss
scoring_elements 0.46108
published_at 2026-04-11T12:55:00Z
1
value 0.00232
scoring_system epss
scoring_elements 0.46139
published_at 2026-04-18T12:55:00Z
2
value 0.00232
scoring_system epss
scoring_elements 0.46143
published_at 2026-04-16T12:55:00Z
3
value 0.00232
scoring_system epss
scoring_elements 0.46088
published_at 2026-04-13T12:55:00Z
4
value 0.00232
scoring_system epss
scoring_elements 0.46079
published_at 2026-04-12T12:55:00Z
5
value 0.00232
scoring_system epss
scoring_elements 0.46084
published_at 2026-04-09T12:55:00Z
6
value 0.00232
scoring_system epss
scoring_elements 0.46086
published_at 2026-04-08T12:55:00Z
7
value 0.00232
scoring_system epss
scoring_elements 0.4603
published_at 2026-04-07T12:55:00Z
8
value 0.00232
scoring_system epss
scoring_elements 0.46082
published_at 2026-04-04T12:55:00Z
9
value 0.00232
scoring_system epss
scoring_elements 0.46061
published_at 2026-04-02T12:55:00Z
10
value 0.00239
scoring_system epss
scoring_elements 0.4698
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-41123
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/ruby/rexml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/ruby/rexml
5
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
6
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
7
reference_url https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/
url https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41123.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41123.yml
9
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-41123
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-41123
11
reference_url https://security.netapp.com/advisory/ntap-20241227-0005
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241227-0005
12
reference_url https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
2
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:33:21Z/
url https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
reference_id 1083190
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083190
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2302268
reference_id 2302268
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2302268
15
reference_url https://github.com/advisories/GHSA-r55c-59qm-vjw6
reference_id GHSA-r55c-59qm-vjw6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r55c-59qm-vjw6
16
reference_url https://security.gentoo.org/glsa/202507-08
reference_id GLSA-202507-08
reference_type
scores
url https://security.gentoo.org/glsa/202507-08
17
reference_url https://access.redhat.com/errata/RHSA-2024:6670
reference_id RHSA-2024:6670
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6670
18
reference_url https://access.redhat.com/errata/RHSA-2024:6702
reference_id RHSA-2024:6702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6702
19
reference_url https://access.redhat.com/errata/RHSA-2024:6703
reference_id RHSA-2024:6703
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6703
20
reference_url https://access.redhat.com/errata/RHSA-2024:6784
reference_id RHSA-2024:6784
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6784
21
reference_url https://access.redhat.com/errata/RHSA-2024:6785
reference_id RHSA-2024:6785
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6785
22
reference_url https://access.redhat.com/errata/RHSA-2025:4063
reference_id RHSA-2025:4063
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4063
23
reference_url https://access.redhat.com/errata/RHSA-2025:4488
reference_id RHSA-2025:4488
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4488
24
reference_url https://usn.ubuntu.com/7091-1/
reference_id USN-7091-1
reference_type
scores
url https://usn.ubuntu.com/7091-1/
25
reference_url https://usn.ubuntu.com/7091-2/
reference_id USN-7091-2
reference_type
scores
url https://usn.ubuntu.com/7091-2/
26
reference_url https://usn.ubuntu.com/7418-1/
reference_id USN-7418-1
reference_type
scores
url https://usn.ubuntu.com/7418-1/
27
reference_url https://usn.ubuntu.com/7840-1/
reference_id USN-7840-1
reference_type
scores
url https://usn.ubuntu.com/7840-1/
fixed_packages
aliases CVE-2024-41123, GHSA-r55c-59qm-vjw6
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yj1t-rga1-x3ev
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby2.7@2.7.4-1%252Bdeb11u1