Critical severityNVD Advisory· Published Jan 14, 2021· Updated Feb 13, 2025
XMLBeans XML Entity Expansion
CVE-2021-23926
Description
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlbeans:xmlbeansMaven | < 3.0.0 | 3.0.0 |
Affected products
17- ghsa-coords16 versionspkg:maven/org.apache.xmlbeans/xmlbeanspkg:rpm/opensuse/xmlbeans&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xmlbeans&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/xmlbeans&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/xmlbeans&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5pkg:rpm/suse/xmlbeans&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/xmlbeans&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/xmlbeans&distro=SUSE%20Manager%20Server%204.1
< 3.0.0+ 15 more
- (no CPE)range: < 3.0.0
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-3.3.1
- (no CPE)range: < 2.6.0-3.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
- (no CPE)range: < 2.6.0-150000.5.3.1
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-mw3r-pfmg-xp92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23926ghsaADVISORY
- issues.apache.org/jira/browse/XMLBEANS-517ghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/06/msg00024.htmlghsamailing-listx_refsource_MLISTWEB
- poi.apache.orgghsaWEB
- poi.apache.orgmitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20210513-0004ghsaWEB
- security.netapp.com/advisory/ntap-20210513-0004/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.