Out-of-bounds Write

Affecting libxml2 package, versions <2.9.4+dfsg1-2.2+deb9u4

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream libxml2 package. See Remediation section below for Debian:9 relevant versions.

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Remediation

Upgrade Debian:9 libxml2 to version 2.9.4+dfsg1-2.2+deb9u4 or higher.

References

CVSS Score

8.6
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVE
CVE-2021-3517
CWE
CWE-787
Snyk ID
SNYK-DEBIAN9-LIBXML2-1277339
Disclosed
19 May, 2021
Published
28 Apr, 2021