====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN027
_____________________________________________________________________

DATE                : 14/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running XMLBeans versions prior to 3.0.0,
                                              4.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202101.mbox/%3c272070702.2034267.1610629828577@mail.yahoo.com%3e
_____________________________________________________________________

CVE-2021-23926: XMLBeans XML Entity Expansion


Description:

The XML parsers used by XMLBeans up to version 2.6.0 did not set the
properties needed to protect the user from malicious XML input.
Vulnerabilities include possibilities for XML Entity
Expansion attacks.

Affects XMLBeans up to and including v2.6.0. It is recommended to
upgrade to at least v3.0.0 but v4.0.0 is recommended. This upgrade is
not expected to be difficult for most users.


This issue is being tracked as
https://issues.apache.org/jira/browse/XMLBEANS-517


References:

https://poi.apache.org/
https://issues.apache.org/jira/browse/XMLBEANS-517


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================