CVE-2021-3537 — NULL Pointer Dereference in Libxml2

CWE-476 — NULL Pointer Dereference11 documents9 sources

Severity

5.9MEDIUMNVD

GHSA7.5

EPSS

0.1%

top 70.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmlsoft Libxml2 Nokogiri Oracle Mysql Workbench +9 more

Timeline

PublishedMay 14

Latest updateOct 15

Description

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages11 packages

▶NVDxmlsoft/libxml2< 2.9.11

▶Debianxmlsoft/libxml2< 2.9.10+dfsg-6.6+3

▶CVEListV5xmlsoft/libxml2libxml2 2.9.11

▶RubyGemsnokogiri/nokogiri< 1.11.4

▶NVDoracle/mysql_workbench8.0.26

Also affects: Debian Linux 9.0, Fedora 33, 34, Enterprise Linux 6.0, 7.0, 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing↗2022-05-24

▶

OSV

Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing↗2022-05-24

▶

GHSA

Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12↗2021-05-17

▶

CVEList

CVE-2021-3537: A vulnerability found in libxml2 in versions before 2↗2021-05-14

▶

OSV

CVE-2021-3537: A vulnerability found in libxml2 in versions before 2↗2021-05-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (libxml2) — CVE-2021-3537↗2022-10-15

▶

Ubuntu

libxml2 vulnerabilities↗2021-06-17

▶

Microsoft

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content causing a NULL dereference. If an untrusted XML document was parsed in↗2021-05-11

▶

Red Hat

libxml2: NULL pointer dereference when post-validating mixed content parsed in recovery mode↗2021-05-01

▶

Debian

CVE-2021-3537: libxml2 - A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not...↗2021

▶