Bug 1987330 (CVE-2021-32796)
Summary: | CVE-2021-32796 nodejs-xmldom: misinterpretation of malicious XML input | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, aos-bugs, chazlett, extras-orphan, gmalinko, gparvin, janstey, jochrist, jwon, nodejs-sig, rfreiman, stcannon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xmldom 0.7.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in nodejs-xmldom. The xmldom library is an open-source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Xmldom does not correctly escape special characters when serializing elements removed from their ancestor. This flaw may lead to unexpected syntactic changes during XML processing in some downstream applications. Invalid processing of XML documents could lead to a loss of confidentiality or integrity of data in the application using the vulnerable library.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1987331, 1989054 | ||
Bug Blocks: | 1987332 |
Description
Guilherme de Almeida Suckevicz
2021-07-29 14:03:29 UTC
Created nodejs-xmldom tracking bugs for this issue: Affects: epel-7 [bug 1987331] Created nodejs-xmldom tracking bugs for this issue: Affects: epel-7 [bug 1987331] |