CVE-2021-3518
Vulnerability Summary
Timeline
Description
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVSS Metrics
- v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.25%• Percentile: 49%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- debian•debian_linux
9.0
- fedoraproject•fedora
33 | 34
- netapp•active_iq_unified_manager
na
- netapp•clustered_data_ontap
na
- netapp•clustered_data_ontap_antivirus_connector
na
- netapp•hci_h410c_firmware
na
- netapp•manageability_software_development_kit
na
- netapp•ontap_select_deploy_administration_utility
na
- netapp•snapdrive
na
- oracle•communications_cloud_native_core_network_function_cloud_native_environment
1.10.0
- oracle•enterprise_manager_base_platform
13.4.0.0 | 13.5.0.0
- oracle•enterprise_manager_ops_center
12.4.0.0
- oracle•mysql_workbench
≤ 8.0.26
- oracle•peoplesoft_enterprise_peopletools
8.58
- oracle•real_user_experience_insight
13.4.1.0 | 13.5.1.0
- redhat•enterprise_linux
8.0
- redhat•jboss_core_services
na
- xmlsoft•libxml2
< 2.9.11
References (19)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1954242
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210625-0002/
- http://seclists.org/fulldisclosure/2021/Jul/58
- http://seclists.org/fulldisclosure/2021/Jul/54
- http://seclists.org/fulldisclosure/2021/Jul/55
- http://seclists.org/fulldisclosure/2021/Jul/59
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://support.apple.com/kb/HT212605
- https://support.apple.com/kb/HT212602
- https://support.apple.com/kb/HT212601
- https://support.apple.com/kb/HT212604
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html