{"id":"CVE-2021-23792","details":"The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.","aliases":["GHSA-pjch-4g28-fxx7"],"modified":"2026-04-11T13:53:54.587503Z","published":"2022-05-06T20:15:07.863Z","related":["SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763"],"references":[{"type":"FIX","url":"https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/haraldk/TwelveMonkeys","events":[{"introduced":"0"},{"fixed":"1d47d2ef90dd316c8067f4b48f6fc26b609c687f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.7.1"}]}},{"type":"GIT","repo":"https://github.com/haraldk/twelvemonkeys","events":[{"introduced":"0"},{"fixed":"da4efe98bf09e1cce91b7633cb251958a200fc80"}]}],"versions":["2.2","2.3","twelvemonkeys-3.0","twelvemonkeys-3.0-rc5","twelvemonkeys-3.0-rc7","twelvemonkeys-3.3","twelvemonkeys-3.4","twelvemonkeys-3.5","twelvemonkeys-3.6","twelvemonkeys-3.7.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T13:53:54Z","vanir_signatures":[{"target":{"function":"read","file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-0470fdfe","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"249218010626227176164604436029732734196","length":669}},{"target":{"function":"parseDirectories","file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-22a0036d","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"108812834923943270836664632032017558428","length":1251}},{"target":{"function":"getChildTextValue","file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-687a5cc0","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"137080493607862650009839461916716891180","length":1280}},{"target":{"function":"parseAsResource","file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-938ce4bd","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"39711226668658736157575672272239862559","length":356}},{"target":{"function":"parseAttributesForKnownElements","file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-a0165de6","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"254527692919997313583309745924223135863","length":486}},{"target":{"file":"imageio/imageio-metadata/src/test/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReaderTest.java"},"deprecated":false,"id":"CVE-2021-23792-a0d7055c","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["327998220339355602299556373864585003634","145814379119637299409074545812429438862","192505313023992790542131442162455716618","44453959459554252382726517395807381726","306817302635149662702730401557985969453","326133793164955957579988442241386621339","58163357235404058154386110755593714466","266999122118542446380227571625400412889","148510360459993071900330443519011737851","17012596010008438980978503736031548944","208614450279193310137966228547158286121","242388455758700056689404889894982800944","276151400404807882752784740625244167979","26605620446647947672638392010474876410","171925554714234707141416734736419799679","272554317607679861709700753736616160443","266675738967938644604867649105845123718","306179096358793757480391146901792076039","241178211497079675306067273929235830818","142229661374811684827734543444430768130"],"threshold":0.9}},{"target":{"file":"imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/xmp/XMPReader.java"},"deprecated":false,"id":"CVE-2021-23792-fc803ff4","source":"https://github.com/haraldk/twelvemonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80","signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["109430832738143455120479419505669885545","153398371985210580700076355138219374794","95295885105191930446809254648803272409","71121135989217540836949905668148238086","212942191144831929933047669221338599788","97823293186425606739246766548973696255","337294414537833868961214928448280164670","45067866915330711952151848753084876395","167316933950668319430754136214863037880","236133051588498854327398253458973361916","261022108063021789214588770179384583398","209095146915105737454820349005276847214","135166134900656758889428605344545462240","293039685699109050827018666366023563037","312860325412524453475492867373344434628","165082927862868849422430342157783602369","233500157548367959446187541355335174390","138083795879566608623510279781326328791","53328939517840849989602996156675947778","316125271331337495365364949781981904411","83791912691571264677931659758702187529","72300697728043644644983676023873080085","237068344233129815200236414425396210201","298058998372345689505580646700477258118","45498028908813664359102532053547628329","47826476640434865251629908234339402118","184971952414113635720945471653414674519","290184595041700880873585101091975180617","211685488205842600771316675698082954878","325260756660564055554207711554199193505","231998555253959436704675209071214641697","225871998973908283450350928771682351860","148900234674556144828624193999968709378","283832229005206364105550202145207456090","292147653027658904343358009059424151386","207815542482919913160858248270770121576","260044411518719883080109257286298543840","272965198578538375989722477045742010246","245453091759853192937480253636826975915","114807149199863925145204304095223585348","272741031418997059003400992594318793374","35686787500655768220334086233589456561","220815896043024455829866302227895310767","268761609525573738895951733415980424775","122846504932110270410407011188802656238","133189560222375701518526599027337763497","182575872759815143572315825469158402592","122461724368905257760115294313978468249","5985331516239516758580686005239155406","277506322394576973647163637767365393076","27818683116611118829733200144951374935","212315900888563817037038472823061318473","211841602757196592011473436534530394037","179634867845876226245732289300223519314","90476220996872661823836365567500489879","271063576572738206347903739826891380746","207865032252082282280227748102785822137","329831160373217167377421670939303821023","96116615608648385015445775778612271495","79742602509029303990551429901368897378","273786200093974627855675995948718884249","256498597257099898031577861028102838540","60519258414085187317819955262452312663"],"threshold":0.9}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}