Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2021-3517

Published: 19/05/2021 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 8.6 | Impact Score: 4.7 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Xmlsoft

Vulnerability Summary

There is a flaw in the xml entity encoding functionality of libxml2 in versions prior to 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

xmlsoft libxml2

redhat jboss core services -

redhat enterprise linux 8.0

fedoraproject fedora 33

fedoraproject fedora 34

debian debian linux 9.0

netapp snapmanager -

netapp oncommand workflow automation -

netapp oncommand insight -

netapp ontap select deploy administration utility -

netapp clustered data ontap -

netapp e-series santricity storage manager -

netapp clustered data ontap antivirus connector -

netapp snapdrive -

netapp solidfire -

netapp hci management node -

netapp active iq unified manager -

netapp santricity unified manager -

netapp manageability software development kit -

netapp e-series santricity web services -

netapp e-series santricity os controller

netapp hci_h410c_firmware -

oracle peoplesoft enterprise peopletools 8.58

oracle enterprise manager base platform 13.4.0.0

oracle zfs storage appliance kit 8.8

oracle openjdk 8

oracle enterprise manager base platform 13.5.0.0

oracle mysql workbench

oracle real user experience insight 13.4.1.0

oracle real user experience insight 13.5.1.0

oracle communications cloud native core network function cloud native environment 1.10.0

Vendor Advisories

Debian CVElist Bug Report Logs: libxml2: CVE-2021-3517
Debian Bug report logs - #987738 libxml2: CVE-2021-3517 Package: src:libxml2; Maintainer for src:libxml2 is Debian XML/SGML Group <debian-xml-sgml-pkgs@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 28 Apr 2021 19:30:02 UTC Severity: important Tags: security, upstream Foun ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 SP11 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated packages that provide Red Hat JBoss Core Services Apache HTTP Server 2 ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 SP11 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Apache HTTP Server 2437 Service Pack 11 zip release for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows is availableRed Hat Product Securit ...
Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update
Synopsis Moderate: OpenShift Container Platform 4103 security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4103 is now available withupdates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Important: Service Telemetry Framework 1.4 security update
Synopsis Important: Service Telemetry Framework 14 security update Type/Severity Security Advisory: Important Topic An update is now available for Service Telemetry Framework 14 for RHEL 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which g ...
Amazon Linux AMI: ALAS-2023-1743
parserc in libxml2 before 295 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name (CVE-2017-16931) GNOME project libxml2 v2910 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entitiesc The issue has been ...
Amazon Linux 2: ALAS2-2021-1718
There is a flaw in the xml entity encoding functionality of libxml2 An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read The most likely impact of this flaw is to application availability, with some potential impact to confidentiali ...
Amazon Linux 2: ALAS2-2021-1662
GNOME project libxml2 v2910 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entitiesc The issue has been fixed in commit 50f06b3e (CVE-2020-24977) There is a flaw in the xml entity encoding functionality of libxml2 An attacker who is able to supply a crafted file to be processed by an application linked wit ...
Red Hat: CVE-2021-3517
No description is available for this CVE ...
Arch Linux Issues:
A heap-based buffer overflow was found in libxml2 when processing truncated UTF-8 input ...

ICS Advisories

Hitachi Energy RTU500 series
Critical Infrastructure Sectors: Energy
Hitachi Energy APM Edge
Critical Infrastructure Sectors: Energy
https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

References

CWE-787https://bugzilla.redhat.com/show_bug.cgi?id=1954232https://lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlhttps://security.netapp.com/advisory/ntap-20210625-0002/https://security.gentoo.org/glsa/202107-05https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://security.netapp.com/advisory/ntap-20211022-0004/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987738https://nvd.nist.govhttps://www.cisa.gov/uscert/ics/advisories/icsa-21-336-08https://alas.aws.amazon.com/ALAS-2023-1743.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook