CVE-2021-3517

Опубликовано: 19 мая 2021

Источник: nvd

CVSS3: 8.6

CVSS2: 7.5

EPSS Низкий

Описание

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=1954232
Issue Tracking
Patch
Third Party Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
https://security.gentoo.org/glsa/202107-05
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210625-0002/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211022-0004/
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Not Applicable
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1954232
Issue Tracking
Patch
Third Party Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
https://security.gentoo.org/glsa/202107-05
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*

Версия до 2.9.11 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Конфигурация 4

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*

Версия от 11.0.0 (включая) до 11.70.1 (включая)

cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*

cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*

cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*

Конфигурация 7

Одно из

cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*

Версия до 8.0.26 (включая)

cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

EPSS

Процентиль: 23%

0.00077

Низкий

8.6 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-787

Связанные уязвимости

CVE-2021-3517

CVSS3: 8.6

ubuntu

больше 4 лет назад

CVE-2021-3517

CVSS3: 8.6

redhat

больше 4 лет назад

CVE-2021-3517

CVSS3: 8.6

msrc

около 4 лет назад

Описание отсутствует

CVE-2021-3517

CVSS3: 8.6

debian

больше 4 лет назад

There is a flaw in the xml entity encoding functionality of libxml2 in ...

GHSA-jw9f-hh49-cvp9

CVSS3: 8.6

github

около 3 лет назад

Nokogiri contains libxml Out-of-bounds Write vulnerability

EPSS

Процентиль: 23%

0.00077

Низкий

8.6 High

CVSS3

7.5 High

CVSS2

Дефекты

CWE-787