CVE-2021-23926 — Improper Restriction of Recursive Entity References in Apache XMLBeans

Description

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

How to fix CVE-2021-23926

To remediate CVE-2021-23926, upgrade the affected package to a fixed version below.

—upgrade to 3.0.2-1 or later
—upgrade to 2.6.0+dfsg-1+deb9u1 or later
—upgrade to 3.0.0 or later

Is CVE-2021-23926 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.0.2-1
from 0, < 2.6.0+dfsg-1+deb9u1
from 0, < 3.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23926
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23926
WEBissues.apache.org/jira/browse/XMLBEANS-517
WEBlists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E