A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
CVE-2021-3537 - Medium Severity Vulnerability
Vulnerable Library - https://source.codeaurora.org/quic/la/platform/external/libxml2/LA.UM.6.6.c27-04000-89xx.0
Library home page: https://source.codeaurora.org/quic/la/platform/external/libxml2/
Found in HEAD commit: 36c617da7227c5471a24ab8d026c496382f77ef5
Found in base branch: main
Vulnerable Source Files (1)
dvna/node_modules/libxmljs/vendor/libxml/parser.c
Vulnerability Details
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
Publish Date: 2021-05-14
URL: CVE-2021-3537
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1956522
Release Date: 2021-05-14
Fix Resolution: libxml2 2.9.11