CVE-2021-46143

Summary

CVE	CVE-2021-46143
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-06 04:15:00 UTC
Updated	2022-10-06 19:11:00 UTC
Description	In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Risk And Classification

Problem Types: CWE-190

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Libexpat Project	Libexpat	All	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Hci Baseboard Management Controller	h610c	All	All	All
Application	Netapp	Hci Baseboard Management Controller	h610s	All	All	All
Application	Netapp	Hci Baseboard Management Controller	h615c	All	All	All
Application	Netapp	Oncommand Workflow Automation	-	All	All	All
Application	Netapp	Solidfire Hci Management Node	-	All	All	All
Application	Siemens	Sinema Remote Connect Server	All	All	All	All
Application	Tenable	Nessus	All	All	All	All

References

Reference	Source	Link	Tags
[W.I.P.] lib: Prevent integer overflow on m_groupSize in function doProlog (fixes #532) by hartwork · Pull Request #538 · libexpat/libexpat · GitHub	MISC	github.com
[R1] Nessus Versions 8.15.3 and 10.1.1 Fix Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Debian -- Security Information -- DSA-5073-1 expat	DEBIAN	www.debian.org
oss-security - Expat 2.4.3 released, includes 8 security fixes	MLIST	www.openwall.com
Expat: Multiple Vulnerabilities (GLSA 202209-24) — Gentoo security	GENTOO	security.gentoo.org
CVE-2021-46143 Expat Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf	CONFIRM	cert-portal.siemens.com
Crafted XML file can cause integer overflow on m_groupSize in function doProlog · Issue #532 · libexpat/libexpat · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159712 Oracle Enterprise Linux Security Update for expat (ELSA-2022-0951)
159714 Oracle Enterprise Linux Security Update for expat (ELSA-2022-9227)
159733 Oracle Enterprise Linux Security Update for expat (ELSA-2022-1069)
160232 Oracle Enterprise Linux Security Update for xmlrpc-c (ELSA-2022-7692)
179044 Debian Security Update for expat (DLA 2904-1)
179068 Debian Security Update for expat (DSA 5073-1)
182284 Debian Security Update for expat (CVE-2021-46143)
198671 Ubuntu Security Notification for Expat Vulnerabilities (USN-5288-1)
240155 Red Hat Update for expat (RHSA-2022:0951)
240186 Red Hat Update for expat (RHSA-2022:1069)
240794 Red Hat Update for JBoss Core Services (RHSA-2022:7143)
240835 Red Hat Update for xmlrpc-c (RHSA-2022:7692)
257160 CentOS Security Update for expat (CESA-2022:1069)
296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
330124 IBM AIX Multiple Vulnerabilities in Python (python_advisory)
353975 Amazon Linux Security Advisory for expat : ALAS-2022-1603
353986 Amazon Linux Security Advisory for expat : ALAS2-2022-1809
354360 Amazon Linux Security Advisory for expat : ALAS2022-2022-017
354434 Amazon Linux Security Advisory for expat : ALAS2022-2022-232
354570 Amazon Linux Security Advisory for expat : ALAS-2022-232
355281 Amazon Linux Security Advisory for expat : ALAS2023-2023-058
376582 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Expat Vulnerability (K23231802)
376713 Tenable Nessus Multiple Third-Party Vulnerabilities (TNS-2022-05)
376940 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Vulnerability (NTAP-20220121-0006)
377041 Alibaba Cloud Linux Security Update for expat (ALINUX2-SA-2022:0017)
377097 Alibaba Cloud Linux Security Update for expat (ALINUX3-SA-2022:0021)
44025 Juniper Network Operating System (Junos OS) Multiple Vulnerabilities (JSA70605)
500177 Alpine Linux Security Update for expat
501400 Alpine Linux Security Update for expat
501738 Alpine Linux Security Update for expat
503914 Alpine Linux Security Update for expat
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
6140260 AWS Bottlerocket Security Update for libexpat (GHSA-fcf5-28pr-5vwx)
671428 EulerOS Security Update for expat (EulerOS-SA-2022-1342)
671447 EulerOS Security Update for expat (EulerOS-SA-2022-1425)
671459 EulerOS Security Update for expat (EulerOS-SA-2022-1446)
671508 EulerOS Security Update for expat (EulerOS-SA-2022-1502)
671512 EulerOS Security Update for expat (EulerOS-SA-2022-1483)
671657 EulerOS Security Update for xulrunner (EulerOS-SA-2022-1774)
671715 EulerOS Security Update for expat (EulerOS-SA-2022-1716)
710626 Gentoo Linux Expat Multiple Vulnerabilities (GLSA 202209-24)
751651 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0178-1)
751653 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:0179-1)
751662 OpenSUSE Security Update for expat (openSUSE-SU-2022:0178-1)
753347 SUSE Enterprise Linux Security Update for expat (SUSE-SU-2022:14878-1)
87486 IBM Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (6559296)
900516 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (7128)
901964 Common Base Linux Mariner (CBL-Mariner) Security Update for expat (7155-1)
940473 AlmaLinux Security Update for expat (ALSA-2022:0951)
940736 AlmaLinux Security Update for xmlrpc-c (ALSA-2022:7692)
960622 Rocky Linux Security Update for xmlrpc-c (RLSA-2022:7692)
960848 Rocky Linux Security Update for expat (RLSA-2022:0951)