CVE-2021-23792
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-23792
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23792.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-23792
- Aliases
- Downstream
- Related
- Published
- 2022-05-06T20:15:07.863Z
- Modified
- 2025-11-14T05:27:09.069202Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
- References
Affected packages
Git / github.com/haraldk/twelvemonkeys
Affected ranges
- Type
- GIT
- Repo
- https://github.com/haraldk/twelvemonkeys
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.2
2.3
twelvemonkeys-3.*
twelvemonkeys-3.0
twelvemonkeys-3.0-rc5
twelvemonkeys-3.0-rc7
twelvemonkeys-3.1.0
twelvemonkeys-3.2
twelvemonkeys-3.3
twelvemonkeys-3.4
twelvemonkeys-3.5
twelvemonkeys-3.6
twelvemonkeys-3.7.0
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java",
"function": "read"
},
"signature_type": "Function",
"id": "CVE-2021-23792-0470fdfe",
"digest": {
"function_hash": "249218010626227176164604436029732734196",
"length": 669.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java",
"function": "parseDirectories"
},
"signature_type": "Function",
"id": "CVE-2021-23792-22a0036d",
"digest": {
"function_hash": "108812834923943270836664632032017558428",
"length": 1251.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java",
"function": "getChildTextValue"
},
"signature_type": "Function",
"id": "CVE-2021-23792-687a5cc0",
"digest": {
"function_hash": "137080493607862650009839461916716891180",
"length": 1280.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java",
"function": "parseAsResource"
},
"signature_type": "Function",
"id": "CVE-2021-23792-938ce4bd",
"digest": {
"function_hash": "39711226668658736157575672272239862559",
"length": 356.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java",
"function": "parseAttributesForKnownElements"
},
"signature_type": "Function",
"id": "CVE-2021-23792-a0165de6",
"digest": {
"function_hash": "254527692919997313583309745924223135863",
"length": 486.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/test/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReaderTest.java"
},
"signature_type": "Line",
"id": "CVE-2021-23792-a0d7055c",
"digest": {
"line_hashes": [
"327998220339355602299556373864585003634",
"145814379119637299409074545812429438862",
"192505313023992790542131442162455716618",
"44453959459554252382726517395807381726",
"306817302635149662702730401557985969453",
"326133793164955957579988442241386621339",
"58163357235404058154386110755593714466",
"266999122118542446380227571625400412889",
"148510360459993071900330443519011737851",
"17012596010008438980978503736031548944",
"208614450279193310137966228547158286121",
"242388455758700056689404889894982800944",
"276151400404807882752784740625244167979",
"26605620446647947672638392010474876410",
"171925554714234707141416734736419799679",
"272554317607679861709700753736616160443",
"266675738967938644604867649105845123718",
"306179096358793757480391146901792076039",
"241178211497079675306067273929235830818",
"142229661374811684827734543444430768130"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80",
"deprecated": false,
"target": {
"file": "imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"
},
"signature_type": "Line",
"id": "CVE-2021-23792-fc803ff4",
"digest": {
"line_hashes": [
"109430832738143455120479419505669885545",
"153398371985210580700076355138219374794",
"95295885105191930446809254648803272409",
"71121135989217540836949905668148238086",
"212942191144831929933047669221338599788",
"97823293186425606739246766548973696255",
"337294414537833868961214928448280164670",
"45067866915330711952151848753084876395",
"167316933950668319430754136214863037880",
"236133051588498854327398253458973361916",
"261022108063021789214588770179384583398",
"209095146915105737454820349005276847214",
"135166134900656758889428605344545462240",
"293039685699109050827018666366023563037",
"312860325412524453475492867373344434628",
"165082927862868849422430342157783602369",
"233500157548367959446187541355335174390",
"138083795879566608623510279781326328791",
"53328939517840849989602996156675947778",
"316125271331337495365364949781981904411",
"83791912691571264677931659758702187529",
"72300697728043644644983676023873080085",
"237068344233129815200236414425396210201",
"298058998372345689505580646700477258118",
"45498028908813664359102532053547628329",
"47826476640434865251629908234339402118",
"184971952414113635720945471653414674519",
"290184595041700880873585101091975180617",
"211685488205842600771316675698082954878",
"325260756660564055554207711554199193505",
"231998555253959436704675209071214641697",
"225871998973908283450350928771682351860",
"148900234674556144828624193999968709378",
"283832229005206364105550202145207456090",
"292147653027658904343358009059424151386",
"207815542482919913160858248270770121576",
"260044411518719883080109257286298543840",
"272965198578538375989722477045742010246",
"245453091759853192937480253636826975915",
"114807149199863925145204304095223585348",
"272741031418997059003400992594318793374",
"35686787500655768220334086233589456561",
"220815896043024455829866302227895310767",
"268761609525573738895951733415980424775",
"122846504932110270410407011188802656238",
"133189560222375701518526599027337763497",
"182575872759815143572315825469158402592",
"122461724368905257760115294313978468249",
"5985331516239516758580686005239155406",
"277506322394576973647163637767365393076",
"27818683116611118829733200144951374935",
"212315900888563817037038472823061318473",
"211841602757196592011473436534530394037",
"179634867845876226245732289300223519314",
"90476220996872661823836365567500489879",
"271063576572738206347903739826891380746",
"207865032252082282280227748102785822137",
"329831160373217167377421670939303821023",
"96116615608648385015445775778612271495",
"79742602509029303990551429901368897378",
"273786200093974627855675995948718884249",
"256498597257099898031577861028102838540",
"60519258414085187317819955262452312663"
],
"threshold": 0.9
}
}
]