CVE-2021-23792

The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
Configurations

Configuration 1 (hide)

cpe:2.3:a:twelvemonkeys_project:twelvemonkeys:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:51

Type Values Removed Values Added
References () https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80 - Patch, Third Party Advisory () https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80 - Patch, Third Party Advisory
References () https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 - Patch, Third Party Advisory () https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 - Patch, Third Party Advisory
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 7.3

Information

Published : 2022-05-06 20:15

Updated : 2024-11-21 05:51


NVD link : CVE-2021-23792

Mitre link : CVE-2021-23792

CVE.ORG link : CVE-2021-23792


JSON object : View

Products Affected

twelvemonkeys_project

  • twelvemonkeys
CWE
CWE-611

Improper Restriction of XML External Entity Reference