Vulnerability Description
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Twelvemonkeys Project | Twelvemonkeys | < 3.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763PatchThird Party Advisory
- https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763PatchThird Party Advisory
FAQ
What is CVE-2021-23792?
CVE-2021-23792 is a vulnerability with a CVSS score of 7.3 (HIGH). The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attac...
How severe is CVE-2021-23792?
CVE-2021-23792 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23792?
Check the references section above for vendor advisories and patch information. Affected products include: Twelvemonkeys Project Twelvemonkeys.