{"id":"CVE-2021-28965","details":"The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.","aliases":["BIT-ruby-2021-28965","BIT-ruby-min-2021-28965","GHSA-8cr8-4vfw-mr7h"],"modified":"2026-04-11T12:36:17.772474Z","published":"2021-04-21T07:15:07.677Z","related":["ALSA-2021:2584","ALSA-2021:2587","ALSA-2021:2588","MGASA-2021-0579","SUSE-SU-2021:1280-1","openSUSE-SU-2021:0607-1","openSUSE-SU-2024:11310-1","openSUSE-SU-2024:11311-1","openSUSE-SU-2024:11786-1","openSUSE-SU-2024:12712-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15819-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"34"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTVFTLFVCSUE5CXHINJEUCKSHU4SWDMT/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210528-0003/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/rexml","events":[{"introduced":"0"},{"fixed":"a622645e980ea5b91ad7b4d6fec32d113f15df88"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.2.5"}],"cpe":"cpe:2.3:a:ruby-lang:rexml:*:*:*:*:*:ruby:*:*","source":"CPE_FIELD"}}],"versions":["v3.1.8","v3.1.9","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28965.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"fixed":"930143880a8b593e7444b94e2e0522b83a25c671"},{"introduced":"647ee6f091eafcce70ffb75ddf7e121e192ab217"},{"fixed":"6847ee089d7655b2a0eea4fee3133aeacd4cc7cc"},{"introduced":"95aff214687a5e12c3eb57d056665741e734c188"},{"fixed":"0fb782ee38ea37fd5fe8b1f775f8ad866a82a3f0"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.6.7"},{"introduced":"2.7.0"},{"fixed":"2.7.3"},{"introduced":"3.0.0"},{"fixed":"3.0.1"}],"cpe":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v1_0_r2","v2_7_0","v2_7_1","v2_7_2","v3_0_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-28965.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}