Bug 1180915 - (CVE-2021-23926) VUL-0: CVE-2021-23926: xmlbeans: XML parsers does not protect from malicious XML input (possible XXE)
(CVE-2021-23926)
VUL-0: CVE-2021-23926: xmlbeans: XML parsers does not protect from malicious ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Pedro Monreal Gonzalez
Security Team bot
https://smash.suse.de/issue/275415/
CVSSv3.1:SUSE:CVE-2021-23926:7.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-14 08:10 UTC by Alexander Bergmann
Modified: 2022-08-08 14:05 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-01-14 08:10:59 UTC
CVE-2021-23926

Posted by fanningpj () apache org on Jan 13Description:

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks.

Affects XMLBeans up to and including v2.6.0.

This issue is being tracked as https://issues.apache.org/jira/browse/XMLBEANS-517

References:
https://poi.apache.org/
https://issues.apache.org/jira/browse/XMLBEANS-517

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23926
http://seclists.org/oss-sec/2021/q1/38
Comment 1 Pedro Monreal Gonzalez 2021-06-18 12:26:36 UTC
Commits in version 3.0.0:
 * use safe XML parsers
   https://github.com/apache/xmlbeans/commit/80cb805eb1488ba3a16c427866fa8ae1f52ff0c5
   https://github.com/apache/xmlbeans/commit/a2604e07eeb04bd9a88f8624c3b8efd57b88237c
   https://github.com/apache/xmlbeans/commit/88668f433776e9e795b54263455427d42a456f7f

Note that, these are quite heavy changes. I'll try to apply them to the affected codestreams, these are:
   SUSE:SLE-15:Update (version 2.6.0)
   SUSE:SLE-12:Update (version 2.6.0)

I'm also trying to update to version 3.1.0 in Factory atm.