Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-3869

CVE-2021-3869:
Improper Restriction of XML External Entity Reference in Stanford CoreNLP

7.5

CVSS Score

Basic Information

CVE ID
CVE-2021-3869
GHSA ID
GHSA-8gf7-w3cp-gfh3
EPSS Score
-
CWE
CWE-611
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
edu.stanford.nlp:stanford-corenlpmaven<= 4.3.04.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using DocumentBuilderFactory.newInstance() without configuring security features to prevent XXE attacks. The patch introduced a safeDocumentBuilderFactory() method that disables DTDs, external entities, and enables secure processing. All identified functions were directly instantiating DocumentBuilderFactory without these protections in pre-patch versions, making them vulnerable to external entity injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*or*nlp is vuln*r**l* to Improp*r R*stri*tion o* XML *xt*rn*l *ntity R***r*n**

Reasoning

T** vuln*r**ility st*ms *rom usin* *o*um*nt*uil**r***tory.n*wInst*n**() wit*out *on*i*urin* s**urity ***tur*s to pr*v*nt XX* *tt**ks. T** p*t** intro*u*** * s****o*um*nt*uil**r***tory() m*t*o* t**t *is**l*s *T*s, *xt*rn*l *ntiti*s, *n* *n**l*s s**ur*