CVE-2021-23926
XML External Entity (XXE) vulnerability in xmlbeans (Maven)
What is CVE-2021-23926 About?
This vulnerability in XMLBeans up to version 2.6.0 allows for XML Entity Expansion attacks due to improper protection against malicious XML input. Attackers can craft XML documents that, when parsed, consume excessive resources, leading to a denial of service. Exploiting this requires providing a specially crafted XML file to the application.
Affected Software
Technical Details
XMLBeans versions up to and including 2.6.0 are vulnerable because the XML parsers they use do not properly set properties necessary to protect against malicious XML input. Specifically, they are susceptible to XML Entity Expansion attacks, a type of XML Bomb. An attacker can craft an XML document containing deeply nested or exponentially expanding entity definitions. When this malicious XML is parsed by an application using the vulnerable XMLBeans library, the parser attempts to expand all these entities, leading to a rapid and massive consumption of memory and CPU resources. This resource exhaustion ultimately causes a denial of service, rendering the application unresponsive or crashing it.
What is the Impact of CVE-2021-23926?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or system unavailable to legitimate users.
What is the Exploitability of CVE-2021-23926?
Exploitation complexity is low, as it only requires an attacker to supply a crafted XML document to an application that processes XML via the vulnerable XMLBeans library. No authentication is needed if the application accepts XML input from untrusted sources. This is typically a remote attack if XML input is accepted over a network. The main prerequisite is that the application uses an affected XMLBeans version and processes untrusted XML documents. The likelihood of exploitation increases in applications that expose XML parsing functionality to external users or systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23926?
Available Upgrade Options
- org.apache.xmlbeans:xmlbeans
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://poi.apache.org
- https://nvd.nist.gov/vuln/detail/CVE-2021-23926
- https://osv.dev/vulnerability/GHSA-mw3r-pfmg-xp92
- https://issues.apache.org/jira/browse/XMLBEANS-517
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
- https://poi.apache.org/
- https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
- https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-23926?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2020-7798 , CVE-2020-14187 , CVE-2020-1945 , CVE-2020-17521
