{
  "threat_severity" : "Important",
  "public_date" : "2021-01-13T00:00:00Z",
  "bugzilla" : {
    "description" : "xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack",
    "id" : "1922102",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1922102"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-776",
  "details" : [ "The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.", "A flaw was found when parsing XML files using XMLBeans 2.6.0 or below. The underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks. The highest threat from this vulnerability is to confidentiality and system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "xmlbeans",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Out of support scope",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "xmlbeans",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23926\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23926" ],
  "name" : "CVE-2021-23926",
  "mitigation" : {
    "value" : "Affected users are advised to update to Apache XMLBeans 3.0.0 or above, which fixes this vulnerability.",
    "lang" : "en:us"
  },
  "csaw" : false
}