CVE-2021-42521

There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may crash the application.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549
https://gitlab.kitware.com/vtk/vtk/issues/17818	Exploit Issue Tracking Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PCTMSAAVP4BW2HTZLDWMGKZ2WEC5OFLK/

Configurations

Configuration 1 (hide)

cpe:2.3:a:vtk:vtk:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-08-25 18:15

Updated : 2023-11-07 03:39

NVD link : CVE-2021-42521

Mitre link : CVE-2021-42521

CVE.ORG link : CVE-2021-42521

JSON object : View

Products Affected

vtk

vtk

CWE

CWE-476

NULL Pointer Dereference

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2021-42521", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-08-25T18:15:09.140", "references": [{"url": "https://discourse.vtk.org/t/vtk-9-2-5-is-out/10549", "source": "patrick@puiterwijk.org"}, {"url": "https://gitlab.kitware.com/vtk/vtk/issues/17818", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PCTMSAAVP4BW2HTZLDWMGKZ2WEC5OFLK/", "source": "patrick@puiterwijk.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}, {"type": "Secondary", "source": "patrick@puiterwijk.org", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that NULL pointer dereference may crash the application."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de desreferencia de puntero NULL en VTK, y es encontrada en el archivo IO/Infovis/vtkXMLTreeReader.cxx. El proveedor no ha comprobado el valor de retorno de la API \"xmlDocGetRootElement\" de libxml2, e intenta des referenciarlo. No es seguro ya que el valor de retorno puede ser NULL y esa desreferencia de puntero NULL puede bloquear la aplicaci\u00f3n."}], "lastModified": "2023-11-07T03:39:11.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vtk:vtk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5A6B13E-07ED-4AD2-B578-25CDFD068563", "versionEndIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}