High severityNVD Advisory· Published May 19, 2021· Updated Dec 2, 2025
CVE-2021-3517
CVE-2021-3517
Description
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | < 1.11.4 | 1.11.4 |
Affected products
46- libxml2/libxml2description
- ghsa-coords45 versionspkg:gem/nokogiripkg:rpm/almalinux/libxml2-develpkg:rpm/opensuse/libxml2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/libxml2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-libxml2-python&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/libxml2-python&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/python-libxml2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-libxml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2pkg:rpm/suse/python-libxml2-python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP3
< 1.11.4+ 44 more
- (no CPE)range: < 1.11.4
- (no CPE)range: < 2.9.7-9.el8_4.2
- (no CPE)range: < 2.9.7-lp152.10.9.1
- (no CPE)range: < 2.9.12-1.2
- (no CPE)range: < 2.9.7-lp152.10.9.1
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.13.3-1.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.7.6-0.77.36.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.40.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.4-46.43.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
- (no CPE)range: < 2.9.7-3.31.1
Patches
Vulnerability mechanics
References
24- github.com/advisories/GHSA-jw9f-hh49-cvp9ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-3517ghsaADVISORY
- security.gentoo.org/glsa/202107-05ghsavendor-advisoryx_refsource_GENTOOWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3517.ymlghsaWEB
- github.com/sparklemotion/nokogiri/blob/7c19ef5cc6b7c5c36827dd5495f857c6877ec8cf/CHANGELOG.mdghsaWEB
- github.com/sparklemotion/nokogiri/issues/2233ghsaWEB
- github.com/sparklemotion/nokogiri/issues/2274ghsaWEB
- gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8eghsaWEB
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2021/05/msg00008.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WVghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210625-0002/mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20211022-0004ghsaWEB
- security.netapp.com/advisory/ntap-20211022-0004/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.