CVE-2021-23792
External Entity Reference in TwelveMonkeys ImageIO
9.8
CRITICAL
CVSS 3.1
EPSS 0.30%
Description
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
How to fix CVE-2021-23792
To remediate CVE-2021-23792, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.7.1 or later
Is CVE-2021-23792 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 3.7.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |