CVE-2021-21366
MEDIUM4.3EPSS 1.3%Misinterpretation of malicious XML input
Description
### Impact xmldom versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. ### Patches Update to 0.5.0 (once it is released) ### Workarounds Downstream applications can validate the input and reject the maliciously crafted documents. ### References Similar to this one reported on the Go standard library: - https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ ### For more information If you have any questions or comments about this advisory: * Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom) * Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`
Affected packages (3)
- Debian/node-xmldomfrom 0, < 0.5.0-1
- Debian/node-xmldomfrom 0, < 0.1.27+ds-1+deb10u2
- npm/xmldomfrom 0, < 0.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21366
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-21366
- PATCHhttps://github.com/xmldom/xmldom
- WEBhttps://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
- WEBhttps://github.com/xmldom/xmldom/releases/tag/0.5.0
- WEBhttps://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
- WEBhttps://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- WEBhttps://www.npmjs.com/package/xmldom