Vulnerability Description
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlsoft | Libxml2 | < 2.9.11 |
| Redhat | Jboss Core Services | - |
| Redhat | Enterprise Linux | 8.0 |
| Fedoraproject | Fedora | 33 |
| Debian | Debian Linux | 9.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Clustered Data Ontap | - |
| Netapp | Clustered Data Ontap Antivirus Connector | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0.0, <= 11.70.1 |
| Netapp | E-Series Santricity Storage Manager | - |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Hci Management Node | - |
| Netapp | Manageability Software Development Kit | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Ontap Select Deploy Administration Utility | - |
| Netapp | Santricity Unified Manager | - |
| Netapp | Snapdrive | - |
| Netapp | Snapmanager | - |
| Netapp | Solidfire | - |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1954232Issue TrackingPatchThird Party Advisory
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202107-05Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210625-0002/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211022-0004/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlNot Applicable
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1954232Issue TrackingPatchThird Party Advisory
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e3
FAQ
What is CVE-2021-3517?
CVE-2021-3517 is a vulnerability with a CVSS score of 8.6 (HIGH). There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affect...
How severe is CVE-2021-3517?
CVE-2021-3517 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3517?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxml2, Redhat Jboss Core Services, Redhat Enterprise Linux, Fedoraproject Fedora, Debian Debian Linux.