CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CVE-2024-49761 — HIGH severity vulnerability | Release Alert
CVE-2024-49761
7.5
HIGHCVSS v3
Published
October 28, 2024
Affected
11 projects
Assigned by
GitHub
Severity scale
010
Description
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
ChocolateyRuby is a dynamic, open source programming language focusing on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write.
This package provides a self-contained [Windows-based installer](https://rubyinstaller.org) that includes the Ruby language, an execution environment, important documentation, and more.
## Package Parameters
- `/InstallDir` - Ruby installation directory, by default `c:\tools\RubyXY` where XY are major and minor version parts.
- `/NoPath` - Do not add ruby bin folder to machine PATH.
Example: `choco install ruby --package-parameters="'/NoPath ""/InstallDir:C:\your\install\path""'"`
## Notes
- To install ruby development kit ruby installer provides `ridk` command. It provides an easy way to install msys2 via `ridk install 1`, however, the installation is interactive. To accomplish unattended install, use [msys2](https://chocolatey.org/packages/msys2) package.