Improper Interaction Between Multiple Correctly-Behaving Entities in xmldom - CVE-2021-21366
Published: June 2, 2023
Vulnerability identifier: #VU76822
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21366
CWE-ID: CWE-435
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: xmldom
Affected software:
xmldom
xmldom
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to the system.
The vulnerability exists due to xmldom do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. A remote attacker can send a specially crafted file and make syntactic changes during XML processing in some downstream applications.
How to mitigate CVE-2021-21366
Install updates from vendor's website.
Sources
- https://github.com/xmldom/xmldom/releases/tag/0.5.0
- https://www.npmjs.com/package/xmldom
- https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
- https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html