CVE-2021-23926

CRITICAL

Apache Xmlbeans < 2.6.0 - XML Entity Expansion

Title source: rule

Description

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

References (8)

[Issue Tracking, Vendor Advisory] https://issues.apache.org/jira/browse/XMLBEANS-517

[Mailing List] https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210513-0004/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Product, Vendor Advisory] https://poi.apache.org/

Scores

CVSS v3 9.1

EPSS 0.0044

EPSS Percentile 63.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-776

Status published

Products (11)

apache/xmlbeans < 2.6.0

debian/debian_linux 9.0

netapp/oncommand_unified_manager_core_package

netapp/snap_creator_framework

netapp/snapmanager (2 CPE variants)

oracle/middleware_common_libraries_and_tools 12.2.1.3.0

oracle/middleware_common_libraries_and_tools 12.2.1.4.0

oracle/peoplesoft_enterprise_peopletools 8.57

oracle/peoplesoft_enterprise_peopletools 8.58

oracle/peoplesoft_enterprise_peopletools 8.59

... and 1 more

Published Jan 14, 2021

Tracked Since Feb 18, 2026