CVE-2021-28965

Public on 2021-04-21
Modified on 2024-01-29
Description

A flaw was found in the way the Ruby REXML library parsed XML documents. Parsing a specially crafted XML document using REXML and writing parsed data back to a new XML document results in creating a document with a different structure. This issue could affect the integrity of processed data in applications using REXML that parse XML documents, write data back to XML, and re-parse them again.

Severity
Medium
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Ruby2.6 Extra ruby 2023-09-25 ALAS2RUBY2.6-2023-006
Amazon Linux 2 - Ruby3.0 Extra ruby 2023-09-25 ALAS2RUBY3.0-2023-007
Amazon Linux 2 - Core ruby 2024-09-18 ALAS2-2024-2637
Amazon Linux 1 ruby24 2021-05-19 ALAS-2021-1501

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2021-28965 Mitre: CVE-2021-28965