CVE-2024-43398 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2024-43398	MEDIUM	rexml	3.2.8	>= 3.3.6	2024-08-22T15:15:16.44Z	2024-09-20T01:28:01.203299429Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:a9243431b374e9c884c633d92e040f59c0fa22158137a9f604996c27bdbc3c7c
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:a9243431b374e9c884c633d92e040f59c0fa22158137a9f604996c27bdbc3c7c

---

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

---

Remediation Steps

• Update the affected package rexml from version 3.2.8 to >= 3.3.6.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.