{"id":"CVE-2021-3836","details":"dbeaver is vulnerable to Improper Restriction of XML External Entity Reference","modified":"2026-04-11T23:37:41.171106Z","published":"2021-12-14T16:15:08.963Z","references":[{"type":"REPORT","url":"https://huntr.dev/bounties/a98264fb-1930-4c7c-b774-af24c0175fd4"},{"type":"FIX","url":"https://github.com/dbeaver/dbeaver/commit/4debf8f25184b7283681ed3fb5e9e887d9d4fe22"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dbeaver/dbeaver","events":[{"introduced":"0"},{"fixed":"6eab0c0d60ea8a85b19a110297f03f4135ec12ce"},{"fixed":"4debf8f25184b7283681ed3fb5e9e887d9d4fe22"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"21.2.3"}]}}],"versions":["21.1.3","21.1.4","21.1.5","3.5.4","3.5.5","3.5.6","3.5.7","3.5.8","3.5.9","3.6.0","3.6.1","3.6.10","3.6.2","3.6.3","3.6.4","3.6.5","3.6.7","3.6.8","3.6.9","3.7.0","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.8.0","3.8.1","3.8.3","3.8.4","3.8.5","4.0.0","4.0.2","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.1.0","4.1.1","4.1.2","4.1.3","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.3.0","4.3.1","4.3.2","4.3.3","4.3.4","4.3.5","5.0.0","5.0.1","5.0.3","5.0.5","5.0.6","5.1.0","5.2.3","5.2.4","5.2.5","5.3.0","5.3.1","5.3.2","5.3.4","5.3.5","6.0.0","6.0.1","6.0.2","6.0.3","6.0.4","6.0.5","6.1.0","6.1.1","6.1.2","6.1.3","6.1.4","6.1.5","6.2.0","6.2.1","7.0.4","7.2.4"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:37:41Z","vanir_signatures":[{"deprecated":false,"target":{"file":"plugins/org.jkiss.dbeaver.ui/src/org/jkiss/dbeaver/ui/controls/VerticalButton.java"},"signature_type":"Line","id":"CVE-2021-3836-113b6550","source":"https://github.com/dbeaver/dbeaver/commit/6eab0c0d60ea8a85b19a110297f03f4135ec12ce","digest":{"threshold":0.9,"line_hashes":["305125151484220046472971332258979209061","152238718482275166365648983886120350002","205920397040561298597803709548399878986","227717952725908933414441791366712190404","195664624807065084187491229385032802806","34985724372715828227446530265145709135","39211914196918581433443148524604111718"]},"signature_version":"v1"},{"deprecated":false,"target":{"function":"parseDocument","file":"bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java"},"signature_type":"Function","id":"CVE-2021-3836-83027dc0","source":"https://github.com/dbeaver/dbeaver/commit/4debf8f25184b7283681ed3fb5e9e887d9d4fe22","digest":{"function_hash":"174314306622300802111213029235391419699","length":246},"signature_version":"v1"},{"deprecated":false,"target":{"file":"bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java"},"signature_type":"Line","id":"CVE-2021-3836-99371be0","source":"https://github.com/dbeaver/dbeaver/commit/4debf8f25184b7283681ed3fb5e9e887d9d4fe22","digest":{"threshold":0.9,"line_hashes":["29985939312361190242250581700088389482","10842332814039443893953718383961136132","156655913057028810329593440432126290034","42690939432060143990890634345568917346","289289947539241354903658736009041509351"]},"signature_version":"v1"},{"deprecated":false,"target":{"function":"paint","file":"plugins/org.jkiss.dbeaver.ui/src/org/jkiss/dbeaver/ui/controls/VerticalButton.java"},"signature_type":"Function","id":"CVE-2021-3836-c90d7451","source":"https://github.com/dbeaver/dbeaver/commit/6eab0c0d60ea8a85b19a110297f03f4135ec12ce","digest":{"function_hash":"179108765244725025449433290234596390262","length":2268},"signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3836.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}