CVE-2024-41946
Description
RHSA-2025:4063: ruby:3.1 security update (Moderate)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description rexml: DoS vulnerability in REXML Red Hat statement Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. CVSS v3: 3.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Errata / fixed releasesβ¦
Workaround
for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Description
rexml: DoS vulnerability in REXML
Red Hat statement
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVSS v3: 3.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | ruby:3.3-8100020240906074654.489197e6 | RHSA-2024:6784 | 2024-09-18T00:00:00Z |
| Red Hat Enterprise Linux 8 | ruby:3.1-8100020250407112943.489197e6 | RHSA-2025:4063 | 2025-04-23T00:00:00Z |
| Red Hat Enterprise Linux 8 | pcs-0:0.10.18-2.el8_10.2 | RHSA-2024:6670 | 2024-09-16T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | pcs-0:0.10.12-6.el8_6.6 | RHSA-2024:6702 | 2024-09-16T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | pcs-0:0.10.12-6.el8_6.6 | RHSA-2024:6702 | 2024-09-16T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | pcs-0:0.10.15-4.el8_8.3 | RHSA-2024:6703 | 2024-09-16T00:00:00Z |
| Red Hat Enterprise Linux 9 | ruby:3.3-9040020240906110954.9 | RHSA-2024:6785 | 2024-09-18T00:00:00Z |
| Red Hat Enterprise Linux 9 | ruby:3.1-9050020250404144903.9 | RHSA-2025:4488 | 2025-05-06T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | ruby:3.3/ruby | Not affected |
| Red Hat Enterprise Linux 8 | ruby:2.5/ruby | Fix deferred |
| Red Hat Enterprise Linux 9 | pcs | Fix deferred |
| Red Hat Enterprise Linux 9 | ruby:3.0/ruby | Fix deferred |
| Red Hat OpenStack Platform 16.1 | puppet-datacat | Fix deferred |
| Red Hat OpenStack Platform 16.1 | puppet-etcd | Fix deferred |
| Red Hat OpenStack Platform 16.1 | puppet-opendaylight | Out of support scope |
| Red Hat OpenStack Platform 16.2 | puppet-datacat | Not affected |
| Red Hat OpenStack Platform 16.2 | puppet-etcd | Not affected |
| Red Hat OpenStack Platform 16.2 | puppet-opendaylight | Not affected |
| Red Hat OpenStack Platform 17.1 | puppet-etcd | Not affected |
| Red Hat Satellite 6 | foreman | Fix deferred |
| Red Hat Satellite 6 | foreman-proxy | Fix deferred |
Apply commands
yum update -y ruby:3
# or:
dnf upgrade -y ruby:3Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 10 | Not affected |
| redhat | Red Hat OpenStack Platform 16.2 | Not affected |
| redhat | Red Hat OpenStack Platform 16.2 | Not affected |
| redhat | Red Hat OpenStack Platform 16.2 | Not affected |
| redhat | Red Hat OpenStack Platform 17.1 | Not affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 3.3.5-1 |
| sid | Fixed | 3.3.5-1 |
| forky | Fixed | 3.3.5-1 |
| bullseye | Fixed | 2.7.4-1+deb11u3 |
| bookworm | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | rubygem-rexml-3.3.6-3.module_el9.4.0+115+226a984b.noarch.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
References
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946
- https://access.redhat.com/errata/RHSA-2024:6785
- https://access.redhat.com/errata/RHSA-2025:4488
- https://errata.rockylinux.org/RLSA-2025:4063
- https://errata.rockylinux.org/RLSA-2024:6784
- https://errata.rockylinux.org/RLSA-2024:6670
- https://www.suse.com/security/cve/CVE-2024-41946.html
- https://errata.rockylinux.org/RLSA-2025:4488
- https://errata.rockylinux.org/RLSA-2024:6785
- https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
- https://nvd.nist.gov/vuln/detail/CVE-2024-41946
- https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
- https://github.com/ruby/rexml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-41946.yml
- https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html
- https://security.netapp.com/advisory/ntap-20250117-0007
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml
- https://security-tracker.debian.org/tracker/CVE-2024-41946
- https://access.redhat.com/errata/RHSA-2024:6670
- https://bugzilla.redhat.com/2302268
- https://bugzilla.redhat.com/2302272
- https://bugzilla.redhat.com/2307297
- https://errata.almalinux.org/8/ALSA-2024-6670.html
- https://access.redhat.com/errata/RHSA-2024:6784
- https://bugzilla.redhat.com/2298243
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.