Updated advisory posts against rubysec/ruby-advisory-db@1f32ea5

Author: jasnow

advisories/_posts/2024-08-22-CVE-2024-43398.md

@@ -0,0 +1,59 @@
+---
+layout: advisory
+title: 'CVE-2024-43398 (rexml): REXML denial of service vulnerability'
+comments: false
+categories:
+- rexml
+advisory:
+  gem: rexml
+  cve: 2024-43398
+  ghsa: vmwr-mc7x-5vc3
+  url: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
+  title: REXML denial of service vulnerability
+  date: 2024-08-22
+  description: |
+    ### Impact
+
+    The REXML gem before 3.3.6 has a DoS vulnerability when it parses an
+    XML that has many deep elements that have same local name attributes.
+
+    If you need to parse untrusted XMLs with tree parser API like
+    `REXML::Document.new`, you may be impacted to this vulnerability.
+    If you use other parser APIs such as stream parser API and SAX2
+    parser API, this vulnerability is not affected.
+
+    This vulnerability has been assigned the CVE identifier CVE-2024-43398.
+    We strongly recommend upgrading the REXML gem.
+
+    ### Patches
+
+    The REXML gem 3.3.6 or later include the patch to fix the
+    vulnerability.
+
+    ### Workarounds
+
+    Don't parse untrusted XMLs with tree parser API.
+
+    ## Affected versions
+
+    REXML gem 3.3.5 or prior
+
+    ## Credits
+
+    Thanks to l33thaxor for discovering this issue.
+
+    ## History
+
+    Originally published at 2024-08-22 03:00:00 (UTC)
+  cvss_v3: 5.9
+  patched_versions:
+  - ">= 3.3.6"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43398
+    - https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398
+    - https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
+    - https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
+    - https://github.com/ruby/rexml/releases/tag/v3.3.6
+    - https://github.com/advisories/GHSA-vmwr-mc7x-5vc3
+---