There is an XML round-trip vulnerability in REXML gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2021-28965. We strongly recommend upgrading the REXML gem.
When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML.
Please update REXML gem to version 3.2.5 or later.
If you are using Ruby 2.6 or later:
gem update rexml
to update it. If you are using bundler, please add gem "rexml", ">= 3.2.5"
to your Gemfile
.If you are using Ruby 2.5.8 or prior:
gem update rexml
for Ruby 2.5.8 or prior.gem upgrade rexml
for this version.)Thanks to Juho Nurminen for discovering this issue.
Posted by mame on 5 Apr 2021
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/