CVE-2024-41946

medium

Published 2024-08-01 · Modified 2025-05-06

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

5.5

Description

Moderate: ruby:3.1 security update

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2025-4488.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-6785.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2025-4063.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2349700

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2349699

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2349696

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2025:4063

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-6784.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2298243

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:6784

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-6670.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2307297

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2302272

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2302268

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:6670

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-41946

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:6785

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:4488

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-41946.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:6670

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:6784

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:4063

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2025:4488

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:6785

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description rexml: DoS vulnerability in REXML Red Hat statement Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. CVSS v3: 3.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Errata / fixed releases…

Workaround

for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Description

rexml: DoS vulnerability in REXML

Red Hat statement

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVSS v3: 3.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`ruby:3.3-8100020240906074654.489197e6`	RHSA-2024:6784	2024-09-18T00:00:00Z
Red Hat Enterprise Linux 8	`ruby:3.1-8100020250407112943.489197e6`	RHSA-2025:4063	2025-04-23T00:00:00Z
Red Hat Enterprise Linux 8	`pcs-0:0.10.18-2.el8_10.2`	RHSA-2024:6670	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	`pcs-0:0.10.12-6.el8_6.6`	RHSA-2024:6702	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	`pcs-0:0.10.12-6.el8_6.6`	RHSA-2024:6702	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support	`pcs-0:0.10.15-4.el8_8.3`	RHSA-2024:6703	2024-09-16T00:00:00Z
Red Hat Enterprise Linux 9	`ruby:3.3-9040020240906110954.9`	RHSA-2024:6785	2024-09-18T00:00:00Z
Red Hat Enterprise Linux 9	`ruby:3.1-9050020250404144903.9`	RHSA-2025:4488	2025-05-06T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`ruby:3.3/ruby`	Not affected
Red Hat Enterprise Linux 8	`ruby:2.5/ruby`	Fix deferred
Red Hat Enterprise Linux 9	`pcs`	Fix deferred
Red Hat Enterprise Linux 9	`ruby:3.0/ruby`	Fix deferred
Red Hat OpenStack Platform 16.1	`puppet-datacat`	Fix deferred
Red Hat OpenStack Platform 16.1	`puppet-etcd`	Fix deferred
Red Hat OpenStack Platform 16.1	`puppet-opendaylight`	Out of support scope
Red Hat OpenStack Platform 16.2	`puppet-datacat`	Not affected
Red Hat OpenStack Platform 16.2	`puppet-etcd`	Not affected
Red Hat OpenStack Platform 16.2	`puppet-opendaylight`	Not affected
Red Hat OpenStack Platform 17.1	`puppet-etcd`	Not affected
Red Hat Satellite 6	`foreman`	Fix deferred
Red Hat Satellite 6	`foreman-proxy`	Fix deferred

Apply commands

bash fix

Apply RHSA-2024:6784 for Red Hat Enterprise Linux 8

yum update -y ruby:3
# or:
dnf upgrade -y ruby:3

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Not affected`
redhat	Red Hat OpenStack Platform 16.2	`Not affected`
redhat	Red Hat OpenStack Platform 16.2	`Not affected`
redhat	Red Hat OpenStack Platform 16.2	`Not affected`
redhat	Red Hat OpenStack Platform 17.1	`Not affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
rocky	8	fixed
sles		affected
rocky	9	fixed
debian	forky	fixed	`3.3.5-1`
debian	sid	fixed	`3.3.5-1`
debian	trixie	fixed	`3.3.5-1`
debian	bookworm	affected
debian	bullseye	fixed	`2.7.4-1+deb11u3`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	rexml	`<>= 3.3.3`	`>= 3.3.3`
RubyGems	rexml	`<3.3.3`	`3.3.3`

References

Verify integrity in audit chain (admin only). AS-IS.