Bugzilla – Bug 1180915
VUL-0: CVE-2021-23926: xmlbeans: XML parsers does not protect from malicious XML input (possible XXE)
Last modified: 2022-08-08 14:05:43 UTC
Posted by fanningpj () apache org on Jan 13Description:
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks.
Affects XMLBeans up to and including v2.6.0.
This issue is being tracked as https://issues.apache.org/jira/browse/XMLBEANS-517
Commits in version 3.0.0:
* use safe XML parsers
Note that, these are quite heavy changes. I'll try to apply them to the affected codestreams, these are:
SUSE:SLE-15:Update (version 2.6.0)
SUSE:SLE-12:Update (version 2.6.0)
I'm also trying to update to version 3.1.0 in Factory atm.