Posted by mame on 5 Apr 2021
There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.
Please update REXML gem to version 3.2.5 or later.
If you are using Ruby 2.6 or later:
- Please use Ruby 2.6.7, 2.7.3, or 3.0.1.
- Alternatively, you can use
gem update rexmlto update it. If you are using bundler, please add
gem "rexml", ">= 3.2.5"to your
If you are using Ruby 2.5.8 or prior:
- Please use Ruby 2.5.9.
- You cannot use
gem update rexmlfor Ruby 2.5.8 or prior.
- Note that Ruby 2.5 series is now EOL, so please consider upgrading Ruby to 2.6.7 or later as soon as possible.
- Ruby 2.5.8 or prior (You can NOT use
gem upgrade rexmlfor this version.)
- Ruby 2.6.6 or prior
- Ruby 2.7.2 or prior
- Ruby 3.0.0
- REXML gem 3.2.4 or prior
Thanks to Juho Nurminen for discovering this issue.
- Originally published at 2021-04-05 12:00:00 (UTC)