CVE-2021-33813

NameCVE-2021-33813
DescriptionAn XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2696-1, DLA-2712-1
Debian Bugs990671, 990672, 990673

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjdom1-java (PTS)buster1.1.3-2vulnerable
bullseye1.1.3-2.1fixed
sid, trixie, bookworm1.1.3-3fixed
libjdom2-intellij-java (PTS)buster, bullseye2.0.6+git20180529-2vulnerable
sid, trixie, bookworm2.0.6+git20180529-3vulnerable
libjdom2-java (PTS)buster2.0.6-1vulnerable
bullseye2.0.6-2.1fixed
sid, trixie, bookworm2.0.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjdom1-javasourcestretch1.1.3-1+deb9u1DLA-2712-1
libjdom1-javasource(unstable)1.1.3-2.1990672
libjdom2-intellij-javasource(unstable)(unfixed)990673
libjdom2-javasourcestretch2.0.6-1+deb9u1DLA-2696-1
libjdom2-javasource(unstable)2.0.6-2.1990671

Notes

[bookworm] - libjdom2-intellij-java <no-dsa> (Minor issue)
[bullseye] - libjdom2-intellij-java <no-dsa> (Minor issue)
[buster] - libjdom2-intellij-java <no-dsa> (Minor issue)
[buster] - libjdom2-java <no-dsa> (Minor issue)
[buster] - libjdom1-java <no-dsa> (Minor issue)
https://github.com/hunterhacker/jdom/pull/188
https://alephsecurity.com/vulns/aleph-2021003
Fixed by: https://github.com/hunterhacker/jdom/commit/bd3ab78370098491911d7fe9d7a43b97144a234e
Possible regression impact: https://github.com/hunterhacker/jdom/pull/188#issuecomment-872685011
Improved regression with: https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd914954c73eb577f925a7d361
https://github.com/hunterhacker/jdom/commit/07f316957b59d305f04c7bdb26292852bcbc2eb5
Search for package or bug name: Reporting problems