CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS
Percentile
87.9%
There is a flaw in the xml entity encoding functionality of libxml2 in
versions before 2.9.11. An attacker who is able to supply a crafted file to
be processed by an application linked with the affected functionality of
libxml2 could trigger an out-of-bounds read. The most likely impact of this
flaw is to application availability, with some potential impact to
confidentiality and integrity if an attacker is able to use memory
information to further exploit the application.
Author | Note |
---|---|
ccdm94 | same patch as the one for CVE-2020-24977. As per a comment made by upstream in issue 235 (related to this CVE) both the issues fixed by bf22713507 are caused by the same underlying problem. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxml2 | < 2.9.4+dfsg1-6.1ubuntu1.4 | UNKNOWN |
ubuntu | 20.04 | noarch | libxml2 | < 2.9.10+dfsg-5ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 20.10 | noarch | libxml2 | < 2.9.10+dfsg-5ubuntu0.20.10.2 | UNKNOWN |
ubuntu | 21.04 | noarch | libxml2 | < 2.9.10+dfsg-6.3ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | libxml2 | < 2.9.1+dfsg1-3ubuntu4.13+esm2 | UNKNOWN |
ubuntu | 16.04 | noarch | libxml2 | < 2.9.3+dfsg1-1ubuntu0.7+esm1 | UNKNOWN |
gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
gitlab.gnome.org/GNOME/libxml2/-/issues/235
launchpad.net/bugs/cve/CVE-2021-3517
nvd.nist.gov/vuln/detail/CVE-2021-3517
security-tracker.debian.org/tracker/CVE-2021-3517
ubuntu.com/security/notices/USN-4991-1
www.cve.org/CVERecord?id=CVE-2021-3517
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS
Percentile
87.9%