CVE-2024-41946 (MEDIUM): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2024-41946	MEDIUM	rexml	3.2.8	>= 3.3.3	2024-08-01T15:15:14.1Z	2024-09-20T01:28:01.203299429Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:1573da5cf154596d6bce4f075de41a9ba9f9cc3518b4b50dbaf05d6f521233d8
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:a9243431b374e9c884c633d92e040f59c0fa22158137a9f604996c27bdbc3c7c

---

Description

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

---

Remediation Steps

• Update the affected package rexml from version 3.2.8 to >= 3.3.3.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as resolved. 🤖