Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA SYNC: 2 brand new advisories #831

Merged
merged 1 commit into from
Oct 29, 2024
Merged

GHSA SYNC: 2 brand new advisories #831

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions gems/mpxj/CVE-2024-49771.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
gem: mpxj
cve: 2024-49771
ghsa: j945-c44v-97g6
url: https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
title: MPXJ has a Potential Path Traversal Vulnerability
date: 2024-10-28
description: |
### Impact

The patch for the historical vulnerability CVE-2020-35460 in MPXJ
is incomplete as there is still a possibility that a malicious path
could be constructed which would not be picked up by the original
fix and allow files to be written to arbitrary locations.

### Patches

The issue is addressed in MPXJ version 13.5.1

### Workarounds

Do not pass zip files to MPXJ.

### References
N/A
cvss_v3: 5.3
unaffected_versions:
- "< 8.3.5"
patched_versions:
- ">= 13.5.1"
related:
url:
- https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
- https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
- https://github.com/advisories/GHSA-j945-c44v-97g6
40 changes: 40 additions & 0 deletions gems/rexml/CVE-2024-49761.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
gem: rexml
cve: 2024-49761
ghsa: 2rxp-v6pw-ch6m
url: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
title: REXML ReDoS vulnerability
date: 2024-10-28
description: |
## Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it
parses an XML that has many digits between `&#` and `x...;`
in a hex numeric character reference (`&#x...;`).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only
affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

## Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

## Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

## References

* https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
* Announced on www.ruby-lang.org.
cvss_v4: 6.6
patched_versions:
- ">= 3.3.9"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-49761
- https://github.com/ruby/rexml/releases/tag/v3.3.9
- https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
- https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
- https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
- https://github.com/advisories/GHSA-2rxp-v6pw-ch6m
Loading