Added CVE-2024-39908 for rexml gem (#795)

jasnow · web-flow · commit 448d4a3b6961 · 2024-07-16T09:59:47.000-07:00
diff --git a/gems/rexml/CVE-2024-39908.yml b/gems/rexml/CVE-2024-39908.yml
@@ -0,0 +1,37 @@
+---
+gem: rexml
+cve: 2024-39908
+url: https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
+title: DoS in REXML
+date: 2024-07-16
+description: |
+  There is a DoS vulnerability in REXML gem. This vulnerability has
+  been assigned the CVE identifier CVE-2024-39908. We strongly
+  recommend upgrading the REXML gem.
+
+  ## Details
+
+  When it parses an XML that has many specific characters such as
+  <, 0 and %>. REXML gem may take long time.
+
+  Please update REXML gem to version 3.3.2 or later.
+
+  ## Affected versions
+
+  REXML gem 3.3.2 or prior
+
+  ## Credits
+
+  Thanks to mprogrammer for discovering this issue.
+
+  ## History
+
+  Originally published at 2024-07-16 03:00:00 (UTC)
+patched_versions:
+  - ">= 3.3.2"
+related:
+  ghsa:
+    - https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
+  url:
+    - https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908
+    - https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8
