CVE-2021-23926: Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)

January 14, 2021 (updated November 7, 2023)

The XML parsers used by XMLBeans up to does not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks.

References

issues.apache.org/jira/browse/XMLBEANS-517
nvd.nist.gov/vuln/detail/CVE-2021-23926
poi.apache.org/

Code Behaviors & Features

Detect and mitigate CVE-2021-23926 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →