1987330 – (CVE-2021-32796) CVE-2021-32796 nodejs-xmldom: misinterpretation of malicious XML input

Bug 1987330 (CVE-2021-32796) - CVE-2021-32796 nodejs-xmldom: misinterpretation of malicious XML input

Summary: CVE-2021-32796 nodejs-xmldom: misinterpretation of malicious XML input

Keywords:
Status:	NEW
Alias:	CVE-2021-32796
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1987331 1989054
Blocks:	1987332
TreeView+	depends on / blocked

Reported:	2021-07-29 14:03 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-10-25 17:21 UTC (History)
CC List:	12 users (show)
Fixed In Version:	xmldom 0.7.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nodejs-xmldom. The xmldom library is an open-source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Xmldom does not correctly escape special characters when serializing elements removed from their ancestor. This flaw may lead to unexpected syntactic changes during XML processing in some downstream applications. Invalid processing of XML documents could lead to a loss of confidentiality or integrity of data in the application using the vulnerable library.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-29 14:03:29 UTC

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.


Reference:
https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q

Upstream patch:
https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b

Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 14:04:06 UTC

Created nodejs-xmldom tracking bugs for this issue:

Affects: epel-7 [bug 1987331]

Comment 2 Guilherme de Almeida Suckevicz 2021-07-29 14:04:12 UTC

Created nodejs-xmldom tracking bugs for this issue:

Affects: epel-7 [bug 1987331]

Note You need to log in before you can comment on or make changes to this bug.