CVE-2021-28965
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.5
Description
RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate)
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | rubygem-abrt-doc-0.3.0-4.module_el8.5.0+2623+08a8ba32.noarch.rpm |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 3.0.1-1 |
Debian Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| bullseye | Fixed | 2.7.3-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
References
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
- https://security.archlinux.org/ASA-202104-1
- https://www.suse.com/security/cve/CVE-2021-28965.html
- https://errata.rockylinux.org/RLSA-2021:2588
- https://errata.rockylinux.org/RLSA-2021:2587
- https://errata.rockylinux.org/RLSA-2021:2584
- https://nvd.nist.gov/vuln/detail/CVE-2021-28965
- https://github.com/ruby/rexml/commit/2fe62e29094d95921d7e19abbd2e26b23d78dc5b
- https://github.com/ruby/rexml/commit/3c137eb119550874b2b3e27d12b733ca67033377
- https://github.com/ruby/rexml/commit/6a250d2cd1194c2be72becbdd9c3e770aa16e752
- https://github.com/ruby/rexml/commit/9b311e59ae05749e082eb6bbefa1cb620d1a786e
- https://github.com/ruby/rexml/commit/a659c63e37414506dfb0d4655e031bb7a2e73fc8
- https://github.com/ruby/rexml/commit/f7bab8937513b1403cea5aff874cbf32fd5e8551
- https://github.com/ruby/rexml/commit/f9d88e4948b4a43294c25dc0edb16815bd9d8618
- https://hackerone.com/reports/1104077
- https://github.com/ruby/rexml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2021-28965.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT
- https://rubygems.org/gems/rexml
- https://security.netapp.com/advisory/ntap-20210528-0003
- https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965
- https://security-tracker.debian.org/tracker/CVE-2021-28965
- https://errata.almalinux.org/8/ALSA-2021-2584.html
- https://errata.almalinux.org/8/ALSA-2021-2587.html
- https://errata.almalinux.org/8/ALSA-2021-2588.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.