CVE-2021-42260

CVE-2021-42260

Name

CVE-2021-42260

Description

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://sourceforge.net/p/tinyxml/bugs/141/
Mailing List	https://lists.debian.org/debian-lts-announce/2022/04/msg00019.html

Type

URI

MISC

https://sourceforge.net/p/tinyxml/bugs/141/

Mailing List

https://lists.debian.org/debian-lts-announce/2022/04/msg00019.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:tinyxml_project:tinyxml::::::::`	tinyxml	>= None	<= 2.6.2
`cpe:2.3:a:tinyxml_project:tinyxml:2.3.0:beta::::::`	tinyxml	== None	== 2.3.0
`cpe:2.3:a:tinyxml_project:tinyxml:2.3.1:beta::::::`	tinyxml	== None	== 2.3.1
`cpe:2.3:a:tinyxml_project:tinyxml::::::::`	tinyxml	>= 2.3.2	<= 2.6.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:tinyxml_project:tinyxml:*:*:*:*:*:*:*:*

tinyxml

>= None

<= 2.6.2

cpe:2.3:a:tinyxml_project:tinyxml:2.3.0:beta:*:*:*:*:*:*

tinyxml

== None

== 2.3.0

cpe:2.3:a:tinyxml_project:tinyxml:2.3.1:beta:*:*:*:*:*:*

tinyxml

== None

== 2.3.1

cpe:2.3:a:tinyxml_project:tinyxml:*:*:*:*:*:*:*:*

tinyxml

>= 2.3.2

<= 2.6.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
tinyxml	edge-community	2.6.2-r1	None	possibly vulnerable
tinyxml	3.14-community	2.6.2-r1	None	possibly vulnerable
tinyxml	3.11-main	2.6.2-r1	None	possibly vulnerable
tinyxml	3.15-community	2.6.2-r1	None	possibly vulnerable
tinyxml	3.16-community	2.6.2-r1	None	possibly vulnerable
tinyxml	3.17-community	2.6.2-r1	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

tinyxml

edge-community

2.6.2-r1

None

possibly vulnerable

tinyxml

3.14-community