CVE-2021-23926 — CRITICAL (9.1)

Q: How severe is CVE-2021-23926?

CVE-2021-23926 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-23926?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Xmlbeans, Netapp Oncommand Unified Manager Core Package, Netapp Snap Creator Framework, Netapp Snapmanager, Debian Debian Linux.

Vulnerability Description

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Xmlbeans	<= 2.6.0
Netapp	Oncommand Unified Manager Core Package	-
Netapp	Snap Creator Framework	-
Netapp	Snapmanager	-
Debian	Debian Linux	9.0
Oracle	Middleware Common Libraries And Tools	12.2.1.3.0
Oracle	Peoplesoft Enterprise Peopletools	8.57

Related Weaknesses (CWE)

CWE-776

References

https://issues.apache.org/jira/browse/XMLBEANS-517Issue TrackingVendor Advisory
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c390
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c81
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.htmlMailing ListThird Party Advisory
https://poi.apache.org/ProductVendor Advisory
https://security.netapp.com/advisory/ntap-20210513-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://issues.apache.org/jira/browse/XMLBEANS-517Issue TrackingVendor Advisory
https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c390
https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c81
https://lists.debian.org/debian-lts-announce/2021/06/msg00024.htmlMailing ListThird Party Advisory
https://poi.apache.org/ProductVendor Advisory
https://security.netapp.com/advisory/ntap-20210513-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-23926?

CVE-2021-23926 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion atta...

How severe is CVE-2021-23926?

CVE-2021-23926 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-23926?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Xmlbeans, Netapp Oncommand Unified Manager Core Package, Netapp Snap Creator Framework, Netapp Snapmanager, Debian Debian Linux.