Vulnerability Description
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlsoft | Xmllint | < 2.9.11 |
| Debian | Debian Linux | 9.0 |
| Fedoraproject | Fedora | 33 |
| Redhat | Jboss Core Services | - |
| Redhat | Enterprise Linux | 6.0 |
| Netapp | Clustered Data Ontap | - |
| Netapp | Clustered Data Ontap Antivirus Connector | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Oracle | Zfs Storage Appliance Kit | 8.8 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1954225Issue TrackingThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9PatchThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/230ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202107-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210716-0005/Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1954225Issue TrackingThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9PatchThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/230ExploitIssue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-3516?
CVE-2021-3516 is a vulnerability with a CVSS score of 7.8 (HIGH). There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this f...
How severe is CVE-2021-3516?
CVE-2021-3516 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3516?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Xmllint, Debian Debian Linux, Fedoraproject Fedora, Redhat Jboss Core Services, Redhat Enterprise Linux.