Headline
CVE-2021-3541: Exponential entity expansion attack bypasses all existing protection mechanisms
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
Description Pedro Sampaio 2021-04-16 19:06:00 UTC
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
Comment 5 Huzaifa S. Sidhpurwala 2021-05-13 07:35:00 UTC
Acknowledgments:
Name: Sebastian Pipping
Comment 6 Huzaifa S. Sidhpurwala 2021-05-13 07:38:23 UTC
This flaw is essentially a variant of the billion laughs attack which can DoS libxml2 even with the set of safe flags. The original billion laughs attack was fixed in libxml2 via https://access.redhat.com/security/cve/CVE-2003-1564
Expat packages shipped in Red Hat products and the upstream project are still vulnerable to billion laughs attack.
Comment 7 Huzaifa S. Sidhpurwala 2021-05-13 07:56:41 UTC
Created libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1960153]
Created mingw-libxml2 tracking bugs for this issue:
Affects: fedora-all [bug 1960154]