CVE-2021-33813

NameCVE-2021-33813
DescriptionAn XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2696-1, DLA-2712-1
NVD severitymedium
Debian Bugs990671, 990672, 990673

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjdom1-java (PTS)stretch1.1.3-1vulnerable
stretch (security)1.1.3-1+deb9u1fixed
bullseye, sid, buster1.1.3-2vulnerable
libjdom2-intellij-java (PTS)bullseye, sid, buster2.0.6+git20180529-2vulnerable
libjdom2-java (PTS)stretch (security)2.0.6-1+deb9u1fixed
buster, stretch2.0.6-1vulnerable
bullseye, sid2.0.6-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjdom1-javasourcestretch1.1.3-1+deb9u1DLA-2712-1
libjdom1-javasource(unstable)(unfixed)990672
libjdom2-intellij-javasource(unstable)(unfixed)990673
libjdom2-javasourcestretch2.0.6-1+deb9u1DLA-2696-1
libjdom2-javasource(unstable)(unfixed)990671

Notes

[bullseye] - libjdom2-intellij-java <no-dsa> (Minor issue)
[buster] - libjdom2-intellij-java <no-dsa> (Minor issue)
[bullseye] - libjdom2-java <no-dsa> (Minor issue)
[buster] - libjdom2-java <no-dsa> (Minor issue)
[bullseye] - libjdom1-java <no-dsa> (Minor issue)
[buster] - libjdom1-java <no-dsa> (Minor issue)
https://github.com/hunterhacker/jdom/pull/188
https://alephsecurity.com/vulns/aleph-2021003
Fixed by: https://github.com/hunterhacker/jdom/commit/bd3ab78370098491911d7fe9d7a43b97144a234e
Possible regression impact: https://github.com/hunterhacker/jdom/pull/188#issuecomment-872685011
Improved regression with: https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd914954c73eb577f925a7d361
https://github.com/hunterhacker/jdom/commit/07f316957b59d305f04c7bdb26292852bcbc2eb5

Search for package or bug name: Reporting problems