CVE-2021-33813
published 2021-06-16CVE-2021-33813: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
19.44%
97.0th percentile
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | solr | — | — |
| apache | solr | — | — |
| apache | tika | — | — |
| debian | debian_linux | — | — |
| debian | libjdom1-java | < libjdom1-java 1.1.3-2.1 (bookworm) | libjdom1-java 1.1.3-2.1 (bookworm) |
| debian | libjdom2-intellij-java | < libjdom1-java 1.1.3-2.1 (bookworm) | libjdom1-java 1.1.3-2.1 (bookworm) |
| debian | libjdom2-java | < libjdom1-java 1.1.3-2.1 (bookworm) | libjdom1-java 1.1.3-2.1 (bookworm) |
| fedoraproject | fedora | — | — |
| jdom | jdom | <= 2.0.6 | — |
| oracle | communications_messaging_server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Application Interface (JDOM) — CVE-2021-33813
vendor_oracle·2026-01-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Siebel CRM Risk Matrix: Application Interface (JDOM) — CVE-2021-33813
Oracle Oracle Siebel CRM Risk Matrix: Application Interface (JDOM) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Siebel CRM Risk Matrix: EAI (JDOM) — CVE-2021-33813
vendor_oracle·2025-07-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Siebel CRM Risk Matrix: EAI (JDOM) — CVE-2021-33813
Oracle Oracle Siebel CRM Risk Matrix: EAI (JDOM) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Oracle
Oracle Oracle Analytics Risk Matrix: Web Catalog (JDOM) — CVE-2021-33813
vendor_oracle·2025-01-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Analytics Risk Matrix: Web Catalog (JDOM) — CVE-2021-33813
Oracle Oracle Analytics Risk Matrix: Web Catalog (JDOM) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2025 (JAN 2025)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (Apache Solr) — CVE-2021-33813
vendor_oracle·2024-01-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (Apache Solr) — CVE-2021-33813
Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (Apache Solr) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: OSB Web Console Design, Admin (JDOM) — CVE-2021-33813
vendor_oracle·2023-07-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: OSB Web Console Design, Admin (JDOM) — CVE-2021-33813
Oracle Oracle Fusion Middleware Risk Matrix: OSB Web Console Design, Admin (JDOM) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Oracle
Oracle Oracle HealthCare Applications Risk Matrix: Upload Service (Apache Tika) — CVE-2021-33813
vendor_oracle·2022-07-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle HealthCare Applications Risk Matrix: Upload Service (Apache Tika) — CVE-2021-33813
Oracle Oracle HealthCare Applications Risk Matrix: Upload Service (Apache Tika) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Oracle
Oracle Oracle Communications Applications Risk Matrix: ISC (Apache Tika) — CVE-2021-33813
vendor_oracle·2022-04-15·CVSS 7.5
CVE-2021-33813 [HIGH] Oracle Oracle Communications Applications Risk Matrix: ISC (Apache Tika) — CVE-2021-33813
Oracle Oracle Communications Applications Risk Matrix: ISC (Apache Tika) vulnerability
CVE: CVE-2021-33813
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Red Hat
jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
vendor_redhat·2021-06-08·CVSS 7.5
CVE-2021-33813 [HIGH] CWE-611 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
Statement: In OpenShift Container Platform (OCP), the hive and hadoop components that comprise the OCP metering stack, ship the vulnerable version of jdom.
Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.
This flaw is out of support scope for Red Hat Enterprise Linux 6 and 7. Please see the following page for more information on Red Hat Enterprise Linux support scopes: https://access.redhat.com/support/policy/updates/errata/ .
[1] https://docs.openshift.com/container-platform/4.6/release_
Debian
CVE-2021-33813: libjdom1-java - An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a den...
vendor_debian·2021·CVSS 7.5
CVE-2021-33813 [HIGH] CVE-2021-33813: libjdom1-java - An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a den...
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
Scope: local
bookworm: resolved (fixed in 1.1.3-2.1)
bullseye: resolved (fixed in 1.1.3-2.1)
forky: resolved (fixed in 1.1.3-2.1)
sid: resolved (fixed in 1.1.3-2.1)
trixie: resolved (fixed in 1.1.3-2.1)
OSV
XML External Entity (XXE) Injection in JDOM
osv·2021-07-27
CVE-2021-33813 [HIGH] XML External Entity (XXE) Injection in JDOM
XML External Entity (XXE) Injection in JDOM
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call `builder.setExpandEntities(false)` and they won't be expanded.
GHSA
XML External Entity (XXE) Injection in JDOM
ghsa·2021-07-27
CVE-2021-33813 [HIGH] CWE-611 XML External Entity (XXE) Injection in JDOM
XML External Entity (XXE) Injection in JDOM
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. As a workaround, to avoid external entities being expanded, one can call `builder.setExpandEntities(false)` and they won't be expanded.
OSV
CVE-2021-33813: An XXE issue in SAXBuilder in JDOM through 2
osv·2021-06-16·CVSS 7.5
CVE-2021-33813 [HIGH] CVE-2021-33813: An XXE issue in SAXBuilder in JDOM through 2
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
No detection rules found.
No public exploits indexed.
https://alephsecurity.com/vulns/aleph-2021003https://github.com/hunterhacker/jdom/pull/188https://github.com/hunterhacker/jdom/releaseshttps://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd%40%3Cdev.tika.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/06/msg00026.htmlhttps://lists.debian.org/debian-lts-announce/2021/07/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://alephsecurity.com/vulns/aleph-2021003https://github.com/hunterhacker/jdom/pull/188https://github.com/hunterhacker/jdom/releaseshttps://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r845e987b7cd8efe610284958e997b84583f5a98d3394adc09e3482fe%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r89b3800cfabb1e773e49425e5d4239c28a659839a2eca6af3431482e%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rfb7a93e40ebeb1e0068cde0bf3834dcab46bb1ef06d6424db48ed9fd%40%3Cdev.tika.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/06/msg00026.htmlhttps://lists.debian.org/debian-lts-announce/2021/07/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AH46QHE5GIMT6BL6C3GDTOYF27JYILXM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWFVYTHGILOQXUA7U3SPOERQXL7OPSZG/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.html
2021-06-16
Published