CVE-2021-23792

EUVD-2022-4783
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
snykCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
twelvemonkeys_projecttwelvemonkeys
𝑥
< 3.7.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libtwelvemonkeys-java
bookworm
3.9.4-1
fixed
bullseye
no-dsa
buster
no-dsa
sid
3.11.0+dfsg-2
fixed
trixie
3.9.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libtwelvemonkeys-java
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
Common Weakness Enumeration
References
https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80
https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763
https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80
https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763