CVE Vulnerabilities

CVE-2021-23926

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Published: Jan 14, 2021 | Modified: Nov 07, 2023
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P
RedHat/V2
RedHat/V3
7.4 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Ubuntu
MEDIUM

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name Vendor Start Version End Version
Xmlbeans Apache * 2.6.0 (including)
Red Hat Fuse 7.10 RedHat xmlbeans *
Xmlbeans Ubuntu bionic *
Xmlbeans Ubuntu trusty *
Xmlbeans Ubuntu upstream *
Xmlbeans Ubuntu xenial *

Potential Mitigations

References