CVE-2021-3537
Published on: 05/14/2021 12:00:00 AM UTC
Last Modified on: 02/28/2023 03:19:00 PM UTC
Certain versions of Debian Linux from Debian contain the following vulnerability:
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
- CVE-2021-3537 has been assigned by
seca[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 5.9 - MEDIUM
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | HIGH | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 4.3 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| NONE | NONE | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpuapr2022.html |
| [SECURITY] Fedora 34 Update: libxml2-2.9.10-12.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2021-e3ed1ba38b |
| Oracle Critical Patch Update Advisory - October 2021 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpuoct2021.html |
| libxml2: Multiple vulnerabilities (GLSA 202107-05) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202107-05 |
| 1956522 – (CVE-2021-3537) CVE-2021-3537 libxml2: NULL pointer dereference when post-validating mix content parsed in recovery mode | bugzilla.redhat.com text/html |
MISC bugzilla.redhat.com/show_bug.cgi?id=1956522 |
| [SECURITY] [DLA 2653-1] libxml2 security update | lists.debian.org text/html |
MLIST [debian-lts-announce] 20210510 [SECURITY] [DLA 2653-1] libxml2 security update |
| [SECURITY] Fedora 33 Update: libxml2-2.9.12-4.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2021-b950000d2b |
| May 2021 Libxml2 Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20210625-0002/ |
| Oracle Critical Patch Update Advisory - July 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpujul2022.html |
Related QID Numbers
- 159285 Oracle Enterprise Linux Security Update for libxml2 (ELSA-2021-2569)
- 178586 Debian Security Update for libxml2 (DLA 2653-1)
- 180242 Debian Security Update for libxml2 (CVE-2021-3537)
- 198409 Ubuntu Security Notification for libxml2 vulnerabilities (USN-4991-1)
- 239468 Red Hat Update for libxml2 (RHSA-2021:2569)
- 240235 Red Hat Update for JBoss Core Services (RHSA-2022:1389)
- 281180 Fedora Security Update for libxml2 (FEDORA-2021-e3ed1ba38b)
- 281707 Fedora Security Update for libxml2 (FEDORA-2021-b950000d2b)
- 296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
- 352459 Amazon Linux Security Advisory for libxml2: ALAS2-2021-1677
- 354638 Amazon Linux Security Advisory for libxml2 : AL2012-2022-370
- 354929 Amazon Linux Security Advisory for libxml2 : ALAS-2023-1743
- 376204 Mysql Workbench Critical Patch Update Oct 2021
- 376952 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Vulnerability (NTAP-20210625-0002,NTAP-20210716-0005)
- 377408 Alibaba Cloud Linux Security Update for libxml2 (ALINUX3-SA-2021:0047)
- 377648 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities(CPUOCT2022)
- 378004 Splunk Enterprise Multiple Vulnerabilities (SVD-2023-0215,SVD-2023-0211,SVD-2023-0208)
- 500342 Alpine Linux Security Update for libxml2
- 501423 Alpine Linux Security Update for libxml2
- 501748 Alpine Linux Security Update for libxml2
- 501968 Alpine Linux Security Update for libxml2
- 502486 Alpine Linux Security Update for libxml2
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 670491 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2249)
- 670517 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2275)
- 670548 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2306)
- 670581 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2339)
- 670648 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2406)
- 670851 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2406)
- 670996 EulerOS Security Update for libxml2 (EulerOS-SA-2021-2595)
- 710071 Gentoo Linux libxml2 Multiple vulnerabilities (GLSA 202107-05)
- 750025 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1654-1)
- 750027 SUSE Enterprise Linux Security Update for libxml2 (SUSE-SU-2021:1658-1)
- 750201 OpenSUSE Security Update for libxml2 (openSUSE-SU-2021:0764-1)
- 900044 CBL-Mariner Linux Security Update for libxml2 2.9.10
- 903455 Common Base Linux Mariner (CBL-Mariner) Security Update for libxml2 (4195)
- 940375 AlmaLinux Security Update for libxml2 (ALSA-2021:2569)
- 960016 Rocky Linux Security Update for libxml2 (RLSA-2021:2569)
Known Affected Configurations (CPE V2.3)
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*:
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_h410c:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:hci_h410c_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*:
- cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*:
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*:
- cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @OpenBSD_ports |
bluhm@ modified textproc/libxml: Fix CVE-2021-3537 in libxml. OK jca@ | 2021-05-11 07:55:23 |
| @OpenBSD_ports |
OPENBSD_6_9 jca@ modified textproc/libxml: SECURITY fix for CVE-2021-3537 in libxml -current fix from bluhm@, ok bluhm@ | 2021-05-12 11:55:21 |
| @OpenBSD_stable |
OPENBSD_6_9 jca@ modified textproc/libxml: SECURITY fix for CVE-2021-3537 in libxml -current fix from bluhm@, ok bluhm@ | 2021-05-12 11:55:22 |
| @CVEreport |
CVE-2021-3537 : A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors w… twitter.com/i/web/status/1… | 2021-05-14 20:19:02 |
 /r/netcve |
CVE-2021-3537 | 2021-05-14 20:41:19 |