CVE-2021-3518

Summary

CVE	CVE-2021-3518
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-05-18 12:15:00 UTC
Updated	2023-11-07 03:38:00 UTC
Description	There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Risk And Classification

Problem Types: CWE-416

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Clustered Data Ontap Antivirus Connector	-	All	All	All
Hardware	Netapp	Hci H410c	-	All	All	All
Operating System	Netapp	Hci H410c Firmware	-	All	All	All
Application	Netapp	Manageability Software Development Kit	-	All	All	All
Application	Netapp	Ontap Select Deploy Administration Utility	-	All	All	All
Application	Netapp	Snapdrive	-	All	All	All
Application	Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0	All	All	All
Application	Oracle	Enterprise Manager Base Platform	13.4.0.0	All	All	All
Application	Oracle	Enterprise Manager Base Platform	13.5.0.0	All	All	All
Application	Oracle	Enterprise Manager Ops Center	12.4.0.0	All	All	All
Application	Oracle	Mysql Workbench	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Real User Experience Insight	13.4.1.0	All	All	All
Application	Oracle	Real User Experience Insight	13.5.1.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Redhat	Jboss Core Services	-	All	All	All
Application	Xmlsoft	Libxml2	All	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: APPLE-SA-2021-07-21-6 tvOS 14.7	FULLDISC	seclists.org
About the security content of tvOS 14.7 - Apple Support	CONFIRM	support.apple.com
About the security content of macOS Big Sur 11.5 - Apple Support	CONFIRM	support.apple.com
About the security content of watchOS 7.6 - Apple Support	CONFIRM	support.apple.com
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 34 Update: libxml2-2.9.10-12.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Full Disclosure: APPLE-SA-2021-07-21-5 watchOS 7.6	FULLDISC	seclists.org
About the security content of iOS 14.7 and iPadOS 14.7 - Apple Support	CONFIRM	support.apple.com
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
libxml2: Multiple vulnerabilities (GLSA 202107-05) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 34 Update: libxml2-2.9.10-12.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Full Disclosure: APPLE-SA-2021-07-21-2 macOS Big Sur 11.5	FULLDISC	seclists.org
[SECURITY] [DLA 2653-1] libxml2 security update	MLIST	lists.debian.org
Pony Mail!	MLIST	lists.apache.org
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8		lists.apache.org
[SECURITY] Fedora 33 Update: libxml2-2.9.12-4.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
1954242 – (CVE-2021-3518) CVE-2021-3518 libxml2: use-after-free in xmlXIncludeDoProcess() in xinclude.c	MISC	bugzilla.redhat.com
[SECURITY] Fedora 33 Update: libxml2-2.9.12-4.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
May 2021 Libxml2 Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Full Disclosure: APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7	FULLDISC	seclists.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159285 Oracle Enterprise Linux Security Update for libxml2 (ELSA-2021-2569)
174990 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1523-1)
174991 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1524-1)
178586 Debian Security Update for libxml2 (DLA 2653-1)
180182 Debian Security Update for libxml2 (CVE-2021-3518)
198409 Ubuntu Security Notification for libxml2 vulnerabilities (USN-4991-1)
239468 Red Hat Update for libxml2 (RHSA-2021:2569)
240235 Red Hat Update for JBoss Core Services (RHSA-2022:1389)
281180 Fedora Security Update for libxml2 (FEDORA-2021-e3ed1ba38b)
281707 Fedora Security Update for libxml2 (FEDORA-2021-b950000d2b)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
352459 Amazon Linux Security Advisory for libxml2: ALAS2-2021-1677
354638 Amazon Linux Security Advisory for libxml2 : AL2012-2022-370
354929 Amazon Linux Security Advisory for libxml2 : ALAS-2023-1743
375746 Apple MacOS Big Sur 11.5 Not Installed (HT212602)
376204 Mysql Workbench Critical Patch Update Oct 2021
376952 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Vulnerability (NTAP-20210625-0002,NTAP-20210716-0005)
377408 Alibaba Cloud Linux Security Update for libxml2 (ALINUX3-SA-2021:0047)
378004 Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)
500342 Alpine Linux Security Update for libxml2
501423 Alpine Linux Security Update for libxml2
501748 Alpine Linux Security Update for libxml2
501968 Alpine Linux Security Update for libxml2
502486 Alpine Linux Security Update for libxml2
504106 Alpine Linux Security Update for libxml2
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
610349 Apple iOS 14.7 and iPadOS 14.7 Security Update Missing
670491 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2249)
670517 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2275)
670548 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2306)
670581 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2339)
670648 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2406)
670851 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2406)
670996 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2595)
710071 Gentoo Linux libxml2 Multiple vulnerabilities (GLSA 202107-05)
750025 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1654-1)
750027 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1658-1)
750201 OpenSUSE Security Update for libxml2 (openSUSE-SU-2021:0764-1)
750222 OpenSUSE Security Update for libxml2 (openSUSE-SU-2021:0692-1)
900044 CBL-Mariner Linux Security Update for libxml2 2.9.10
902878 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (4236)
940375 AlmaLinux Security Update for libxml2 (ALSA-2021:2569)
960016 Rocky Linux Security Update for libxml2 (RLSA-2021:2569)