Search for vulnerabilities
Vulnerability details: VCID-v6kw-re7n-1ke3
Vulnerability ID VCID-v6kw-re7n-1ke3
Aliases CVE-2021-28965
GHSA-8cr8-4vfw-mr7h
Summary incorrect calculation
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-115 Misinterpretation of Input
CWE-611 Improper Restriction of XML External Entity Reference
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28965.json
epss 0.00339 https://api.first.org/data/v1/epss?cve=CVE-2021-28965
epss 0.00339 https://api.first.org/data/v1/epss?cve=CVE-2021-28965
epss 0.00339 https://api.first.org/data/v1/epss?cve=CVE-2021-28965
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8cr8-4vfw-mr7h
cvssv3.1 7.5 https://github.com/ruby/rexml
generic_textual HIGH https://github.com/ruby/rexml
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
generic_textual HIGH https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
generic_textual HIGH https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
generic_textual HIGH https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
generic_textual HIGH https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
generic_textual HIGH https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
generic_textual HIGH https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
cvssv3.1 7.5 https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
generic_textual HIGH https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
cvssv3.1 7.5 https://hackerone.com/reports/1104077
generic_textual HIGH https://hackerone.com/reports/1104077
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2021-28965
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-28965
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-28965
cvssv3.1 7.5 https://rubygems.org/gems/rexml
generic_textual HIGH https://rubygems.org/gems/rexml
archlinux Critical https://security.archlinux.org/AVG-1788
archlinux Critical https://security.archlinux.org/AVG-1789
archlinux Critical https://security.archlinux.org/AVG-1822
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20210528-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20210528-0003
cvssv3.1 7.5 https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
generic_textual HIGH https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
cvssv3 7.5 https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28965.json
https://api.first.org/data/v1/epss?cve=CVE-2021-28965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32066
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41819
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/ruby/rexml
https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
https://hackerone.com/reports/1104077
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/
https://nvd.nist.gov/vuln/detail/CVE-2021-28965
https://rubygems.org/gems/rexml
https://security.netapp.com/advisory/ntap-20210528-0003
https://security.netapp.com/advisory/ntap-20210528-0003/
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
1947526 https://bugzilla.redhat.com/show_bug.cgi?id=1947526
986806 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986806
ASA-202104-1 https://security.archlinux.org/ASA-202104-1
AVG-1788 https://security.archlinux.org/AVG-1788
AVG-1789 https://security.archlinux.org/AVG-1789
AVG-1822 https://security.archlinux.org/AVG-1822
cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
GHSA-8cr8-4vfw-mr7h https://github.com/advisories/GHSA-8cr8-4vfw-mr7h
RHSA-2021:2104 https://access.redhat.com/errata/RHSA-2021:2104
RHSA-2021:2229 https://access.redhat.com/errata/RHSA-2021:2229
RHSA-2021:2230 https://access.redhat.com/errata/RHSA-2021:2230
RHSA-2021:2584 https://access.redhat.com/errata/RHSA-2021:2584
RHSA-2021:2587 https://access.redhat.com/errata/RHSA-2021:2587
RHSA-2021:2588 https://access.redhat.com/errata/RHSA-2021:2588
RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581
RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582
USN-4922-1 https://usn.ubuntu.com/4922-1/
USN-4922-2 https://usn.ubuntu.com/4922-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-28965.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://hackerone.com/reports/1104077
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-28965
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-28965
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://rubygems.org/gems/rexml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20210528-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.55951
EPSS Score 0.00339
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T11:52:48.967336+00:00 Arch Linux Importer Import https://security.archlinux.org/AVG-1789 36.1.3