Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21366: Release 0.5.0 · xmldom/xmldom

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

CVE
#java

Fixes

  • Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

    • Improve error reporting; throw on duplicate attribute
      BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it’s also safer for our users to fail when detecting them.
      It’s possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

      To accomplish this and also be able to verify it in tests I needed to

      • create a new Error type ParseError and export it
      • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
      • export DOMHandler constructor as __DOMHandler
    • Preserve quotes in DOCTYPE declaration
      Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes.
      BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping.
      (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

      https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd
      https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

  • Fix breaking preprocessors’ directives when parsing attributes #171

  • fix(dom): Escape ]]> when serializing CharData #181

  • Switch to (only) MIT license (drop problematic LGPL license option) #178

  • Export DOMException; remove custom assertions; etc. #174

Docs

  • Update MDN links in readme.md #188

Related news

Ubuntu Security Notice USN-6102-1

Ubuntu Security Notice 6102-1 - It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause unexpected syntactic changes during XML processing. This issue only affected Ubuntu 20.04 LTS. It was discovered that xmldom incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907