CVE-2021-28965: XML round-trip vulnerability in REXML

Posted by mame on 5 Apr 2021

There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.

Details

When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.

Please update REXML gem to version 3.2.5 or later.

If you are using Ruby 2.6 or later:

  • Please use Ruby 2.6.7, 2.7.3, or 3.0.1.
  • Alternatively, you can use gem update rexml to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5" to your Gemfile.

If you are using Ruby 2.5.8 or prior:

  • Please use Ruby 2.5.9.
  • You cannot use gem update rexml for Ruby 2.5.8 or prior.
  • Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible.

Affected versions

  • Ruby 2.5.8 or prior (You can NOT use gem update rexml for this version.)
  • Ruby 2.6.6 or prior
  • Ruby 2.7.2 or prior
  • Ruby 3.0.0
  • REXML gem 3.2.4 or prior

Credits

Thanks to Juho Nurminen for discovering this issue.

History

  • Originally published at 2021-04-05 12:00:00 (UTC)