CVE-2021-23926: 
Java vulnerability analysis and mitigation

The XML parsers used by XMLBeans up to version 2.6.0 contained a vulnerability that failed to set the properties needed to protect users from malicious XML input. This vulnerability (CVE-2021-23926) was discovered in January 2021 and affects XMLBeans versions up to and including 2.6.0. The vulnerability specifically relates to XML Entity Expansion attacks (CVE Details, MITRE CVE).

The vulnerability stems from improper configuration of XML parsers in XMLBeans that left them susceptible to XML External Entity (XXE) attacks. When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be exploited through malicious XML input. This issue was identified as a critical security concern requiring implementation of proper XML parser security controls (Apache POI, Debian Tracker).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or Denial of Service (DoS) through XML Entity Expansion attacks. The vulnerability received a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NetApp Advisory).

Users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable for the most secure implementation. The update implements sensible defaults for the XML parsers to prevent these kinds of attacks (Apache POI, Debian LTS).