CVE-2021-23926

Опубликовано: 14 янв. 2021

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Ссылки

https://issues.apache.org/jira/browse/XMLBEANS-517
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
Mailing List
Third Party Advisory
https://poi.apache.org/
Product
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210513-0004/
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://issues.apache.org/jira/browse/XMLBEANS-517
Issue Tracking
Vendor Advisory
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
Mailing List
Third Party Advisory
https://poi.apache.org/
Product
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210513-0004/
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:xmlbeans:*:*:*:*:*:*:*:*

Версия до 2.6.0 (включая)

Конфигурация 2

Одно из

cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*

cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

EPSS

Процентиль: 55%

0.00322

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-776

Связанные уязвимости

CVE-2021-23926

CVSS3: 9.1

ubuntu

около 5 лет назад

CVE-2021-23926

CVSS3: 7.4

redhat

около 5 лет назад

CVE-2021-23926

CVSS3: 9.1

debian

около 5 лет назад

The XML parsers used by XMLBeans up to version 2.6.0 did not set the p ...

SUSE-SU-2022:3876-1

suse-cvrf

больше 3 лет назад

Security update for xmlbeans

SUSE-SU-2022:3875-1

suse-cvrf

больше 3 лет назад

Security update for xmlbeans

EPSS

Процентиль: 55%

0.00322

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-776