CVE-2021-23792 – com.twelvemonkeys.imageio:imageio-metadata

Package

Manager: maven
Name: com.twelvemonkeys.imageio:imageio-metadata
Vulnerable Version: >=0 <3.7.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00282 pctl0.51197

Details

External Entity Reference in TwelveMonkeys ImageIO The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.

Metadata

Created: 2022-05-07T00:00:31Z
Modified: 2022-05-24T20:58:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pjch-4g28-fxx7/GHSA-pjch-4g28-fxx7.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-pjch-4g28-fxx7
Finding: F083
Auto approve: 1