Detections
Analytics

DBeaver < 21.2.3 XXE Vulnerability

medium Nessus Plugin ID 297220

Language:

Synopsis

An updater application installed on the remote Windows host is affected by a XXE vulnerability.

Description

The version of DBeaver installed on the remote Windows host is prior to 21.2.3. It is, therefore, affected by the following XXE vulnerability:

 - The dbeaver is vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parseDocument() function in the 'XMLUtils.java' file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.(CVE-2021-3836)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to DBeaver 21.2.3 or later.

See Also

http://www.nessus.org/u?be3befe8

http://www.nessus.org/u?545b101f

Plugin Details

Severity: Medium

ID: 297220

File Name: dbeaver_21_2_3.nasl

Version: 1.2

Type: local

Agent: windows

Family: Windows

Published: 1/30/2026

Updated: 2/3/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-3836

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:dbeaver:dbeaver

Required KB Items: SMB/Registry/Enumerated, installed_sw/DBeaver

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/17/2021

Vulnerability Publication Date: 9/21/2021

Reference Information

CVE: CVE-2021-3836

IAVA: 2026-A-0083