CVE-2021-3517
- Source
- https://cve.org/CVERecord?id=CVE-2021-3517
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3517.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-3517
- Aliases
- Downstream
- Related
- Published
- 2021-05-19T14:15:07.553Z
- Modified
- 2026-03-15T22:42:11.881238Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- [none]
- Details
-
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
- References
-
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.netapp.com/advisory/ntap-20210625-0002/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20211022-0004/
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1954232
Affected packages
Git / github.com/gnome/libxml2
Affected ranges
Affected versions
Other
CVE-2013-2877
CVE-2014-0191
CVE-2014-3660
CVE-2015-1819
CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499-1
CVE-2015-7499-2
CVE-2015-7500
CVE-2015-7941_1
CVE-2015-7941_2
CVE-2015-7942
CVE-2015-7942-2
CVE-2015-8035
CVE-2015-8242
CVE-2015-8317
CVE-2016-1762
CVE-2016-1833
CVE-2016-1834
CVE-2016-1835
CVE-2016-1836
CVE-2016-1837
CVE-2016-1838
CVE-2016-1839
CVE-2016-1840
CVE-2016-3627
CVE-2016-3705
CVE-2016-4449
CVE-2016-4483
CVE-2021-3541
EAZEL-NAUTILUS-MS-AUG07
FOR_GNOME_0_99_1
GNOME_0_30
GNOME_PRINT_0_24
GNUMERIC_FIRST_PUBLIC_RELEASE
LIBXML2_2_4_21
LIBXML2_2_5_0
LIBXML2_2_5_10
LIBXML2_2_5_7
LIBXML2_2_5_8
LIBXML2_2_5_9
LIBXML2_2_5_x
LIBXML2_2_6_1
LIBXML2_2_6_11
LIBXML2_2_6_12
LIBXML2_2_6_13
LIBXML2_2_6_14
LIBXML2_2_6_15
LIBXML2_2_6_16
LIBXML2_2_6_18
LIBXML2_2_6_19
LIBXML2_2_6_2
LIBXML2_2_6_20
LIBXML2_2_6_21
LIBXML2_2_6_22
LIBXML2_2_6_23
LIBXML2_2_6_24
LIBXML2_2_6_26
LIBXML2_2_6_27
LIBXML2_2_6_28
LIBXML2_2_6_3
LIBXML2_2_6_4
LIBXML2_2_6_5
LIBXML2_2_6_6
LIBXML2_2_6_7
LIBXML2_2_6_8
LIBXML2_2_6_9
LIBXML2_6_0
LIBXML_0_99
LIBXML_1_5_0
LIBXML_1_8_5
LIBXML_1_8_6
LIBXML_2_0_0
LIBXML_2_1_0
LIBXML_2_1_1
LIBXML_2_2_1
LIBXML_2_2_3
LIBXML_2_2_4
LIBXML_2_2_6
LIBXML_2_2_7
LIBXML_2_2_8
LIBXML_2_3_0
LIBXML_2_3_10
LIBXML_2_3_11
LIBXML_2_3_12
LIBXML_2_3_13
LIBXML_2_3_14
LIBXML_2_3_2
LIBXML_2_3_3
LIBXML_2_3_4
LIBXML_2_3_5
LIBXML_2_3_6
LIBXML_2_3_7
LIBXML_2_3_8
LIBXML_2_3_9
LIBXML_2_4_0
LIBXML_2_4_11
LIBXML_2_4_12
LIBXML_2_4_13
LIBXML_2_4_14
LIBXML_2_4_16
LIBXML_2_4_18
LIBXML_2_4_2
LIBXML_2_4_20
LIBXML_2_4_22
LIBXML_2_4_23
LIBXML_2_4_24
LIBXML_2_4_25
LIBXML_2_4_26
LIBXML_2_4_27
LIBXML_2_4_29
LIBXML_2_4_3
LIBXML_2_4_30
LIBXML_2_4_4
LIBXML_2_4_6
LIBXML_2_4_7
LIBXML_2_5_1
LIBXML_2_5_2
LIBXML_2_5_3
LIBXML_2_5_4
LIBXML_2_5_5
LIBXML_2_5_6
LIBXML_2_6_10
LIBXML_TEST_2_0_0
LIB_XML_1_1
LIB_XML_1_3
LIB_XML_1_4
LIB_XML_1_6_1
LIB_XML_1_6_2
LIB_XML_1_7_0
LIB_XML_1_7_1
LIB_XML_1_7_3
LIB_XML_1_8_3
LIB_XML_1_X
PRE_MUCKUP
PRE_MUCKUP2
PRE_MUCKUP3
help
jdk7-b100
jdk7-b101
jdk7-b102
jdk7-b103
jdk7-b104
jdk7-b105
jdk7-b106
jdk7-b107
jdk7-b108
jdk7-b109
jdk7-b110
jdk7-b111
jdk7-b112
jdk7-b113
jdk7-b114
jdk7-b115
jdk7-b116
jdk7-b117
jdk7-b118
jdk7-b119
jdk7-b120
jdk7-b121
jdk7-b122
jdk7-b123
jdk7-b124
jdk7-b125
jdk7-b126
jdk7-b127
jdk7-b128
jdk7-b129
jdk7-b130
jdk7-b131
jdk7-b132
jdk7-b133
jdk7-b134
jdk7-b135
jdk7-b136
jdk7-b137
jdk7-b138
jdk7-b139
jdk7-b140
jdk7-b141
jdk7-b142
jdk7-b143
jdk7-b144
jdk7-b145
jdk7-b146
jdk7-b147
jdk7-b24
jdk7-b25
jdk7-b26
jdk7-b27
jdk7-b28
jdk7-b29
jdk7-b30
jdk7-b31
jdk7-b32
jdk7-b33
jdk7-b34
jdk7-b35
jdk7-b36
jdk7-b37
jdk7-b38
jdk7-b39
jdk7-b40
jdk7-b41
jdk7-b42
jdk7-b43
jdk7-b44
jdk7-b45
jdk7-b46
jdk7-b47
jdk7-b48
jdk7-b49
jdk7-b50
jdk7-b51
jdk7-b52
jdk7-b53
jdk7-b54
jdk7-b55
jdk7-b56
jdk7-b57
jdk7-b58
jdk7-b59
jdk7-b60
jdk7-b61
jdk7-b62
jdk7-b63
jdk7-b64
jdk7-b65
jdk7-b66
jdk7-b67
jdk7-b68
jdk7-b69
jdk7-b70
jdk7-b71
jdk7-b72
jdk7-b73
jdk7-b74
jdk7-b75
jdk7-b76
jdk7-b77
jdk7-b78
jdk7-b79
jdk7-b80
jdk7-b81
jdk7-b82
jdk7-b83
jdk7-b84
jdk7-b85
jdk7-b86
jdk7-b87
jdk7-b88
jdk7-b89
jdk7-b90
jdk7-b91
jdk7-b92
jdk7-b93
jdk7-b94
jdk7-b95
jdk7-b96
jdk7-b97
jdk7-b98
jdk7-b99
jdk8-b01
jdk8-b02
jdk8-b03
jdk8-b04
jdk8-b05
jdk8-b06
jdk8-b07
jdk8-b08
jdk8-b09
jdk8-b10
jdk8-b11
jdk8-b12
jdk8-b13
jdk8-b14
jdk8-b15
jdk8-b16
jdk8-b17
jdk8-b18
jdk8-b19
jdk8-b20
jdk8-b21
jdk8-b22
jdk8-b23
jdk8-b24
jdk8-b25
jdk8-b26
jdk8-b27
jdk8-b28
jdk8-b29
jdk8-b30
jdk8-b31
jdk8-b32
jdk8-b33
jdk8-b34
jdk8-b35
jdk8-b36
jdk8-b37
jdk8-b38
jdk8-b39
jdk8-b40
jdk8-b41
jdk8-b42
jdk8-b43
jdk8-b44
jdk8-b45
jdk8-b46
jdk8-b47
jdk8-b48
jdk8-b49
jdk8-b50
jdk8-b51
jdk8-b52
jdk8-b53
jdk8-b54
jdk8-b55
jdk8-b56
jdk8-b57
jdk8-b58
LIBXML2.*
LIBXML2.6.32
LIBXML2.7.0
LIBXML2.7.1
LIBXML2.7.2
LIBXML2.7.3
v2.*
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.8.0
v2.8.0-rc1
v2.8.0-rc2
v2.9.0
v2.9.0-rc2
v2.9.1
v2.9.10
v2.9.10-rc1
v2.9.2
v2.9.2-rc1
v2.9.2-rc2
v2.9.3
v2.9.4
v2.9.4-rc1
v2.9.4-rc2
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1
v2.9.9
v2.9.9-rc1
v2.9.9-rc2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3517.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "11.0.0"
},
{
"last_affected": "11.70.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.4.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.5.0.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.26"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8-update301"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.4.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "13.5.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.8"
}
]
}
]
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"file": "testapi.c"
},
"source": "https://github.com/gnome/libxml2/commit/e1bcffea180d6cc0651757bb64284a763e0e2239",
"deprecated": false,
"digest": {
"line_hashes": [
"61551077790304056876126381115245055965",
"278846916215258117913027984776762678417",
"335982757857177150834168525661853921922",
"87840030754328165737181167332541198940",
"61551077790304056876126381115245055965",
"278846916215258117913027984776762678417",
"105711474186756975709469310745455797308",
"103706706750952072917010335478765316004",
"227047217400973127911964602216150042388",
"253258039250536385915162828640596572926",
"335982757857177150834168525661853921922",
"87840030754328165737181167332541198940",
"227047217400973127911964602216150042388",
"253258039250536385915162828640596572926",
"105711474186756975709469310745455797308",
"263486003320329746243870951465374401173",
"112950646771093583388072220651695062566",
"231864520689178078662381811343978537663",
"213333773092754020127207462965134162165",
"19008729915787537273927561381864711242",
"112950646771093583388072220651695062566",
"231864520689178078662381811343978537663",
"213333773092754020127207462965134162165",
"19008729915787537273927561381864711242",
"273240550832595461615251408636344817319",
"162912241845094166163791832543701405088",
"671650474723048413359612334217206008",
"22766956053755843453510076977580137201",
"13167474649499926961065524423099785312",
"83470413458974766405520199037916535562",
"276402490468899750538561900822383734744",
"333682037389609673181412300351361172030",
"9499193487410093391036358074880903632",
"30805303948970631633603096678317204355",
"93889085830397632709481663916004609330",
"229956981014592868447519071218013779439",
"240624245583924818381392266620352655927",
"223174899253645334504338538819361168413",
"294476493037697202535040764027097131119",
"129304591418198192271541858825325701656",
"140204848231080657012011575632498051783",
"75311632195512841680531928924350830586",
"256053888072821081238103619703165798762",
"235378452580802392739918607691411522119",
"244992818881073020881304797438692585130",
"66651940352215863530508914348900210359",
"48019944339009281467628355593178272818",
"106918772490863171659640772695582053951",
"116925370429586760959130651896312835976",
"148133004854708868535797103792350393744",
"102183146399774788380381559441867815797",
"308117370035021215489377534456228663968",
"187339639605561687559806077174150854909",
"130836858511549172127312257489846408951",
"52797561731550596294797782502825671297",
"313419538420946173683294680071732735569",
"246138447249870484217065672110268629284"
],
"threshold": 0.9
},
"id": "CVE-2021-3517-1aa97e63",
"signature_type": "Line"
},
{
"signature_version": "v1",
"target": {
"file": "testapi.c",
"function": "test_xmlIO"
},
"source": "https://github.com/gnome/libxml2/commit/e1bcffea180d6cc0651757bb64284a763e0e2239",
"deprecated": false,
"digest": {
"function_hash": "198329610838053062539893085088781189951",
"length": 1155.0
},
"id": "CVE-2021-3517-4ad7707d",
"signature_type": "Function"
}
]