Bug 2210851 (CVE-2021-21366)

Summary: CVE-2021-21366 xmldom: incorrect parsing and serialization leads to unexpected behavior
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xmldom 0.5.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-31 02:44:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2210853, 2210852    
Bug Blocks: 2209798    

Description Anten Skrabec 2023-05-29 18:23:27 UTC 
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Comment 1 Anten Skrabec 2023-05-29 18:27:18 UTC 
Created breeze-icon-theme tracking bugs for this issue:

Affects: epel-8 [bug 2210853]
Affects: fedora-all [bug 2210852]
Comment 3 Product Security DevOps Team 2023-05-31 02:44:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21366