VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-b44n-frjk-qfdy

Essentials
Severities (24)
References (19)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-b44n-frjk-qfdy
Aliases	CVE-2024-35176 GHSA-vg3r-rm7w-2xgh
Summary	REXML contains a denial of service vulnerability ### Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `<`s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35176.json
epss	0.03575	https://api.first.org/data/v1/epss?cve=CVE-2024-35176
epss	0.03575	https://api.first.org/data/v1/epss?cve=CVE-2024-35176
epss	0.03575	https://api.first.org/data/v1/epss?cve=CVE-2024-35176
epss	0.03575	https://api.first.org/data/v1/epss?cve=CVE-2024-35176
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
cvssv3.1	5.3	https://github.com/ruby/rexml
generic_textual	MODERATE	https://github.com/ruby/rexml
cvssv3.1	5.3	https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
generic_textual	MODERATE	https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
ssvc	Track	https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
cvssv3	5.3	https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
cvssv3.1	5.3	https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
cvssv3.1_qr	MODERATE	https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
generic_textual	MODERATE	https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
ssvc	Track	https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2024-35176
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-35176
cvssv3.1	5.3	https://security.netapp.com/advisory/ntap-20250306-0001
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20250306-0001
cvssv3.1	5.3	https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
generic_textual	MODERATE	https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
ssvc	Track	https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35176.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-35176
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35176
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/ruby/rexml
		https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
		https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
		https://nvd.nist.gov/vuln/detail/CVE-2024-35176
		https://security.netapp.com/advisory/ntap-20250306-0001
		https://security.netapp.com/advisory/ntap-20250306-0001/
		https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176
1071626		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071626
2280894		https://bugzilla.redhat.com/show_bug.cgi?id=2280894
GHSA-vg3r-rm7w-2xgh		https://github.com/advisories/GHSA-vg3r-rm7w-2xgh
RHSA-2024:4499		https://access.redhat.com/errata/RHSA-2024:4499
RHSA-2024:5338		https://access.redhat.com/errata/RHSA-2024:5338
USN-7091-1		https://usn.ubuntu.com/7091-1/
USN-7091-2		https://usn.ubuntu.com/7091-2/
USN-7418-1		https://usn.ubuntu.com/7418-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35176.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/rexml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/ Found at https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/ Found at https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-35176

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20250306-0001

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-16T18:26:15Z/ Found at https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176

Exploit Prediction Scoring System (EPSS)

Percentile	0.8724
EPSS Score	0.03575
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:11:20.577359+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vg3r-rm7w-2xgh/GHSA-vg3r-rm7w-2xgh.json	36.1.3