CVE-2021-3518

CWE-416Use After Free14 documents10 sources
Severity
8.8HIGH
EPSS
0.3%
top 51.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Xmlsoft Libxml2Oracle Mysql WorkbenchDebian Debian Linux+7 more
Timeline
PublishedMay 18
Latest updateMay 24

Description

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages10 packages

NVDxmlsoft/libxml2< 2.9.11
Debianlibxml2< 2.9.10+dfsg-6.6+3
CVEListV5libxml2libxml2 2.9.11
RubyGemsnokogiri< 1.11.4

Also affects: Debian Linux 9.0, Fedora 33, 34, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
GHSA
Nokogiri Implements libxml2 version vulnerable to use-after-free2022-05-24
OSV
Nokogiri Implements libxml2 version vulnerable to use-after-free2022-05-24
OSV
CVE-2021-3518: There's a flaw in libxml2 in versions before 22021-05-18
CVEList
CVE-2021-3518: There's a flaw in libxml2 in versions before 22021-05-18
OSV
Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.122021-05-17

📋Vendor Advisories

7
Oracle
Oracle Oracle Communications Risk Matrix: OC-CNE (libxml2) — CVE-2021-35182022-04-15
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Guest Management (libxml2) — CVE-2021-35182021-10-15
Ubuntu
libxml2 vulnerabilities2021-06-17
Microsoft
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest2021-05-11
Red Hat
libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c2021-04-22