CVE-2021-3517: There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed…

high8.6CVSS 3.1

AVNACLPRNUINSUCLILAH

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Affected

27 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	libxml2	< libxml2 2.9.10+dfsg-6.6 (bookworm)	libxml2 2.9.10+dfsg-6.6 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cm1_libxml2_2.9.12-1_on_cbl_mariner_1.0	—	—
netapp	e-series_santricity_os_controller	11.0.0 – 11.70.1	—
nokogiri	nokogiri	>= 0 < 1.11.4	1.11.4
oracle	communications_cloud_native_core_network_function_cloud_native_environment	—	—
oracle	enterprise_manager_base_platform	—	—
oracle	enterprise_manager_base_platform	—	—
oracle	mysql_workbench	<= 8.0.26	—
oracle	openjdk	—	—
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	real_user_experience_insight	—	—
oracle	real_user_experience_insight	—	—
oracle	zfs_storage_appliance_kit	—	—
redhat	enterprise_linux	—	—
xmlsoft	libxml2	< 2.9.11	2.9.11
xmlsoft	libxml2	—	—
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.4+dfsg1-6.1ubuntu1.4	2.9.4+dfsg1-6.1ubuntu1.4
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-5ubuntu0.20.04.1	2.9.10+dfsg-5ubuntu0.20.04.1

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

ghsa7.5HIGH

osv9.1CRITICAL