CVE-2021-21366 — MEDIUM (4.3)

Q: How severe is CVE-2021-21366?

CVE-2021-21366 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21366?

Check the references section above for vendor advisories and patch information. Affected products include: Xmldom Project Xmldom, Debian Debian Linux.

Vulnerability Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Xmldom Project	Xmldom	< 0.5.0
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-436 CWE-115

References

https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135Patch
https://github.com/xmldom/xmldom/releases/tag/0.5.0Release Notes
https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfvVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.htmlMailing ListThird Party Advisory
https://www.npmjs.com/package/xmldomProduct
https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135Patch
https://github.com/xmldom/xmldom/releases/tag/0.5.0Release Notes
https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfvVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.htmlMailing ListThird Party Advisory
https://www.npmjs.com/package/xmldomProduct

FAQ

What is CVE-2021-21366?

CVE-2021-21366 is a vulnerability with a CVSS score of 4.3 (MEDIUM). xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespac...

How severe is CVE-2021-21366?

CVE-2021-21366 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21366?

Check the references section above for vendor advisories and patch information. Affected products include: Xmldom Project Xmldom, Debian Debian Linux.