← back
CVE-2021-23926

XMLBeans XML Entity Expansion

EPSS 6.3%
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 6.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
14 Jan 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Affected products
Apache Software Foundation · Apache XMLBeans

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://issues.apache.org/jira/browse/XMLBEANS-517https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/06/msg00024.htmlhttps://poi.apache.org/https://security.netapp.com/advisory/ntap-20210513-0004/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html