Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2021-31842

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Published: Sep 17, 2021 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2021-31842
CWEhttps://cwe.mitre.org/data/definitions/776.html

XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

Weakness

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Affected Software

Name Vendor Start Version End Version
Endpoint_security Mcafee * 10.7.0 (excluding)
Endpoint_security Mcafee 10.7.0-april_2020 (including) 10.7.0-april_2020 (including)
Endpoint_security Mcafee 10.7.0-april_2021 (including) 10.7.0-april_2021 (including)
Endpoint_security Mcafee 10.7.0-february_2020 (including) 10.7.0-february_2020 (including)
Endpoint_security Mcafee 10.7.0-february_2021 (including) 10.7.0-february_2021 (including)
Endpoint_security Mcafee 10.7.0-july_2020 (including) 10.7.0-july_2020 (including)
Endpoint_security Mcafee 10.7.0-june_2021 (including) 10.7.0-june_2021 (including)
Endpoint_security Mcafee 10.7.0-november_2020 (including) 10.7.0-november_2020 (including)
Endpoint_security Mcafee 10.7.0-september_2020 (including) 10.7.0-september_2020 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use