The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
References
Link | Resource |
---|---|
https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80 | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2022-05-06T00:00:00
Updated: 2022-05-06T20:05:10
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23792
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-05-06T20:15:07.863
Modified: 2022-05-17T17:20:01.153
Link: CVE-2021-23792
JSON object: View
Redhat Information
No data.
CWE