CVE-2021-3537 : A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Published 2021-05-14 20:15:17

Updated 2023-02-28 15:20:00

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2021-3537

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Core Services » Version: N/A
cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Openjdk » Version: 8 Update Update301
cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Ops Center » Version: 12.4.0.0
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.4.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Manager Base Platform » Version: 13.5.0.0
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql Workbench
Versions up to, including, (<=) 8.0.26
cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
Matching versions
Oracle » Real User Experience Insight » Version: 13.4.1.0
cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Real User Experience Insight » Version: 13.5.1.0
cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
Matching versions
Xmlsoft » Libxml2
Versions before (<) 2.9.11
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapdrive » Version: N/A For Windows
cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*
Matching versions
Netapp » Ontap Select Deploy Administration Utility » Version: N/A
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap Antivirus Connector » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Manageability Software Development Kit » Version: N/A
cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci H410c Firmware » Version: N/A
cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Hci H410c » Version: N/A

Threat overview for CVE-2021-3537

Top countries where our scanners detected CVE-2021-3537

Top open port discovered on systems with this issue 53

IPs affected by CVE-2021-3537 790,297

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-3537!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-3537

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 29 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-3537

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-3537

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-3537

https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html

[SECURITY] [DLA 2653-1] libxml2 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202107-05

libxml2: Multiple vulnerabilities (GLSA 202107-05) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/

[SECURITY] Fedora 33 Update: libxml2-2.9.12-4.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210625-0002/

May 2021 Libxml2 Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/

[SECURITY] Fedora 34 Update: libxml2-2.9.10-12.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1956522

1956522 – (CVE-2021-3537) CVE-2021-3537 libxml2: NULL pointer dereference when post-validating mix content parsed in recovery mode
Issue Tracking;Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Not Applicable

CVEs referencing this url