CVE-2021-23792
HIGHtwelvemonkeys < 3.7.1 - XML External Entity Injection via XMP Metadata Parser
Title source: llmDescription
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763
Patch, Third Party Advisory x_refsource_misc
https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80
Scores
CVSS v3
7.3
EPSS
0.0097
EPSS Percentile
57.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-611
Status
published
Products (2)
com.twelvemonkeys.imageio/imageio-metadata
0 - 3.7.1Maven
twelvemonkeys_project/twelvemonkeys
< 3.7.1
Published
May 06, 2022
Tracked Since
Feb 18, 2026