Miggo Logo
Miggo Vulnerability Database
CVE-2021-41559

CVE-2021-41559: Quadratic blowup in Convert::xml2array()

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-41559
GHSA ID
GHSA-9fmg-89fx-r33w
EPSS Score
0.70555%
CWE
CWE-776
Published
6/29/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/frameworkcomposer>= 4.0.0, < 4.10.94.10.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability title and CVE description directly implicate Convert::xml2array() as the vulnerable function handling XML parsing. The security advisory confirms this is where XML entity expansion was not properly restricted. As this is the primary XML processing function mentioned in all vulnerability descriptions, and the CWE-776 classification matches the XML entity expansion pattern, we can conclusively identify this as the vulnerable function despite lacking direct patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rstrip* silv*rstrip*/*r*m*work *.x until *.**.* **s * qu**r*ti* *lowup in *onv*rt::xml**rr*y() t**t *n**l*s * r*mot* *tt**k vi* * *r**t** XML *o*um*nt.

Reasoning

T** vuln*r**ility titl* *n* *V* **s*ription *ir**tly impli**t* `*onv*rt::xml**rr*y()` *s t** vuln*r**l* *un*tion **n*lin* XML p*rsin*. T** s**urity **visory *on*irms t*is is w**r* XML *ntity *xp*nsion w*s not prop*rly r*stri*t**. *s t*is is t** prim*