9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23792

GHSA ID

GHSA-pjch-4g28-fxx7

EPSS Score

0.51299%

CWE

CWE-611

Published

5/7/2022

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23792

CVE-2021-23792: External Entity Reference in TwelveMonkeys ImageIO

The package com.twelvemonkeys.imageio:imageio-metadata before version 3.7.1 is vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23792

GHSA ID

GHSA-pjch-4g28-fxx7

EPSS Score

0.51299%

CWE

CWE-611

Published

5/7/2022

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.twelvemonkeys.imageio:imageio-metadata	maven	< 3.7.1	3.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in the XMPReader's read method. The pre-patch code directly used DocumentBuilderFactory.newInstance() without disabling DTDs/external entities. The fix introduced a createDocumentBuilderFactory method that explicitly disables XInclude, entity expansion, and external resource access. The test case added in XMPReaderTest.java with an XXE payload confirms the attack vector. The read method's parser initialization was the entry point for malicious XMP metadata processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *om.tw*lv*monk*ys.im***io:im***io-m*t***t* ***or* v*rsion *.*.* is vuln*r**l* to XML *xt*rn*l *ntity (XX*) Inj**tion *u* to *n ins**ur*ly initi*liz** XML p*rs*r *or r***in* XMP M*t***t*. *n *tt**k*r **n *xploit t*is vuln*r**ility i* t**y

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in t** XMPR****r's r*** m*t*o*. T** pr*-p*t** *o** *ir**tly us** *o*um*nt*uil**r***tory.n*wInst*n**() wit*out *is**lin* *T*s/*xt*rn*l *ntiti*s. T** *ix intro*u*** * *r**t**o*um*nt*uil**r*

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-23792: External Entity Reference in TwelveMonkeys ImageIO

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI