CVE-2021-23926
CRITICAL severity · CVSS 9.1 · CWE-776
9.1CVSS CRITICAL
Summary
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactNone
Availability impactHigh
Exploit probability (EPSS)6%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://www.oracle.com/security-alerts/cpujul2022.html ↗
Additional information
- NVD record
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch
- https://issues.apache.org/jira/browse/XMLBEANS-517Advisory
- https://poi.apache.org/Advisory
- https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/06/msg00024.htmlAdvisory
- https://security.netapp.com/advisory/ntap-20210513-0004/Advisory