CVE-2021-23926

CWE-776 — XML Entity Expansion (Billion Laughs)15 documents7 sources

Severity

9.1CRITICAL

EPSS

0.4%

top 36.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Xmlbeans Apache Xmlbeans Debian Debian Linux +2 more

Timeline

PublishedJan 14

Latest updateJan 15

Description

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶Mavenorg.apache.xmlbeans:xmlbeans< 3.0.0

▶Debianxmlbeans< 3.0.2-1+3

▶NVDapache/xmlbeans2.6.0

▶CVEListV5apache_software_foundation/apache_xmlbeansApache XMLBeans — 2.6.0

▶NVDoracle/peoplesoft_enterprise_peopletools8.57, 8.58, 8.59+2

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Improper Restriction of Recursive Entity References in Apache XMLBeans↗2021-06-16

▶

OSV

Improper Restriction of Recursive Entity References in Apache XMLBeans↗2021-06-16

▶

OSV

CVE-2021-23926: The XML parsers used by XMLBeans up to version 2↗2021-01-14

▶

CVEList

XMLBeans XML Entity Expansion↗2021-01-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Analytics Risk Matrix: Core (Apache XMLBeans) — CVE-2021-23926↗2026-01-15

▶

Oracle

Oracle Oracle Analytics Risk Matrix: BI Platform Security (Apache XMLBeans) — CVE-2021-23926↗2025-01-15

▶

Oracle

Oracle Oracle Analytics Risk Matrix: BI FNDN (Apache XMLBeans) — CVE-2021-23926↗2024-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Fabric Layer (Apache XMLBeans) — CVE-2021-23926↗2023-07-15

▶

Oracle

Oracle Oracle Analytics Risk Matrix: Visual Analyzer (Apache POI) — CVE-2021-23926↗2023-04-15

▶