High severityNVD Advisory· Published Apr 21, 2021· Updated Aug 3, 2024
CVE-2021-28965
CVE-2021-28965
Description
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rexmlRubyGems | < 3.2.5 | 3.2.5 |
Affected products
24- Ruby/REXMLdescription
- osv-coords23 versionspkg:bitnami/rubypkg:bitnami/ruby-minpkg:gem/rexmlpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ruby2.7&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2
< 2.6.7+ 22 more
- (no CPE)range: < 2.6.7
- (no CPE)range: < 2.6.7
- (no CPE)range: < 3.2.5
- (no CPE)range: < 0.4.0-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.4.0-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.5.9-lp152.2.6.1
- (no CPE)range: < 2.7.3-3.2
- (no CPE)range: < 3.0.1-3.2
- (no CPE)range: < 3.1.0-1.1
- (no CPE)range: < 3.2.1-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
- (no CPE)range: < 2.5.9-4.17.1
- (no CPE)range: < 2.5.9-4.17.1
Patches
Vulnerability mechanics
References
18- github.com/advisories/GHSA-8cr8-4vfw-mr7hghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-28965ghsaADVISORY
- github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5bghsaWEB
- github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377ghsaWEB
- github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752ghsaWEB
- github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786eghsaWEB
- github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8ghsaWEB
- github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551ghsaWEB
- github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.ymlghsaWEB
- hackerone.com/reports/1104077ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMTghsaWEB
- rubygems.org/gems/rexmlghsaWEB
- security.netapp.com/advisory/ntap-20210528-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210528-0003/mitrex_refsource_CONFIRM
- www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965ghsaWEB
- www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.