CVE-2021-46143 — HIGH (8.1)

Q: What is CVE-2021-46143?

CVE-2021-46143 is a vulnerability with a CVSS score of 8.1 (HIGH). In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Q: How severe is CVE-2021-46143?

CVE-2021-46143 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-46143?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Hci Baseboard Management Controller, Netapp Oncommand Workflow Automation.

Vulnerability Description

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libexpat Project	Libexpat	< 2.4.3
Netapp	Active Iq Unified Manager	-
Netapp	Clustered Data Ontap	-
Netapp	Hci Baseboard Management Controller	h610c
Netapp	Oncommand Workflow Automation	-
Netapp	Solidfire \& Hci Management Node	-
Tenable	Nessus	< 8.15.3
Siemens	Sinema Remote Connect Server	< 3.1

Related Weaknesses (CWE)

CWE-190

References

http://www.openwall.com/lists/oss-security/2022/01/17/3Mailing ListPatchThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfPatchThird Party Advisory
https://github.com/libexpat/libexpat/issues/532ExploitIssue TrackingPatch
https://github.com/libexpat/libexpat/pull/538PatchThird Party Advisory
https://security.gentoo.org/glsa/202209-24Third Party Advisory
https://security.netapp.com/advisory/ntap-20220121-0006/Third Party Advisory
https://www.debian.org/security/2022/dsa-5073Third Party Advisory
https://www.tenable.com/security/tns-2022-05Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/01/17/3Mailing ListPatchThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdfPatchThird Party Advisory
https://github.com/libexpat/libexpat/issues/532ExploitIssue TrackingPatch
https://github.com/libexpat/libexpat/pull/538PatchThird Party Advisory
https://security.gentoo.org/glsa/202209-24Third Party Advisory
https://security.netapp.com/advisory/ntap-20220121-0006/Third Party Advisory
https://www.debian.org/security/2022/dsa-5073Third Party Advisory

FAQ

What is CVE-2021-46143?

CVE-2021-46143 is a vulnerability with a CVSS score of 8.1 (HIGH). In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

How severe is CVE-2021-46143?

CVE-2021-46143 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-46143?

Check the references section above for vendor advisories and patch information. Affected products include: Libexpat Project Libexpat, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Hci Baseboard Management Controller, Netapp Oncommand Workflow Automation.