Description
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210528-0003/
Scores
CVSS v3
7.5
EPSS
0.0058
EPSS Percentile
69.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (4)
fedoraproject/fedora
34
ruby-lang/rexml
< 3.2.5
ruby-lang/ruby
< 2.6.7
rubygems/rexml
0 - 3.2.5RubyGems
Published
Apr 21, 2021
Tracked Since
Feb 18, 2026