CVE-2021-3537: A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference…

medium5.9CVSS 3.1

AVNACHPRNUINSUCNINAH

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	libxml2	< libxml2 2.9.10+dfsg-6.6 (bookworm)	libxml2 2.9.10+dfsg-6.6 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	cm1_libxml2_2.9.12-1_on_cbl_mariner_1.0	—	—
nokogiri	nokogiri	>= 0 < 1.11.4	1.11.4
oracle	communications_cloud_native_core_network_function_cloud_native_environment	—	—
oracle	enterprise_manager_base_platform	—	—
oracle	enterprise_manager_base_platform	—	—
oracle	enterprise_manager_ops_center	—	—
oracle	mysql_workbench	<= 8.0.26	—
oracle	openjdk	—	—
oracle	peoplesoft_enterprise_peopletools	—	—
oracle	real_user_experience_insight	—	—
oracle	real_user_experience_insight	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
redhat	enterprise_linux	—	—
xmlsoft	libxml2	< 2.9.11	2.9.11
xmlsoft	libxml2	—	—
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.10+dfsg-6.6	2.9.10+dfsg-6.6
xmlsoft	libxml2	>= 0 < 2.9.4+dfsg1-6.1ubuntu1.4	2.9.4+dfsg1-6.1ubuntu1.4

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

ghsa7.5HIGH

osv9.1CRITICAL