Miggo Logo
Miggo Vulnerability Database
CVE-2021-42521

CVE-2021-42521: VTK NULL pointer dereference vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-42521
GHSA ID
GHSA-xfhg-9pjg-xg7g
EPSS Score
0.23289%
CWE
CWE-400
Published
8/26/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
vtkpip>= 0, < 9.0.19.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies vtkXMLTreeReader.cxx as the vulnerable file and the GitLab issue #17818 confirms the unsafe usage of xmlDocGetRootElement's return value in vtkXMLTreeReaderProcessElement. The function would appear in stack traces when parsing malicious XML content that triggers the NULL dereference. The lack of NULL checking before pointer access directly matches the CWE-476 vulnerability type described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * NULL point*r **r***r*n** vuln*r**ility in VTK, *n* it li*s in IO/In*ovis/vtkXMLTr**R****r.*xx. T** v*n*or *i*n't ****k t** r*turn v*lu* o* li*xml* *PI 'xml*o***tRoot*l*m*nt', *n* try to **r***r*n** it. It is uns*** *s t** r*turn v*lu* **n

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `vtkXMLTr**R****r.*xx` *s t** vuln*r**l* *il* *n* t** *itL** issu* #***** *on*irms t** uns*** us*** o* `xml*o***tRoot*l*m*nt`'s r*turn v*lu* in `vtkXMLTr**R****rPro**ss*l*m*nt`. T** *un*tion woul* *