VDB
CVE-2021-23792
CVE-2021-23792
PUBLISHED
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.
EPSS 0.30% · 53.5th percentile
Risk Scores
EPSS Score
0.30%
53.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:25.10 | libtwelvemonkeys-java | 0, 3.11.0+dfsg-2 |
| Ubuntu:18.04:LTS | libtwelvemonkeys-java | 3.3.2-2, 0 |
| Ubuntu:22.04:LTS | libtwelvemonkeys-java | 3.8.0-1, 3.7.0-1, 3.8.1-1 |
| Ubuntu:20.04:LTS | libtwelvemonkeys-java | 0, 3.5-1, 3.4.2-1 |
| Ubuntu:24.04:LTS | libtwelvemonkeys-java | 0, 3.9.4-1 |
Exploit Intelligence
Timeline
- May 6, 2022 CVE Published
- May 8, 2022 EPSS Score
- May 17, 2022 CVE Updated
- Jun 26, 2022 EPSS Score
- Aug 16, 2022 EPSS Score
- Oct 4, 2022 EPSS Score
- Nov 23, 2022 EPSS Score
- Jan 11, 2023 EPSS Score
- Mar 1, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 20, 2023 EPSS Score
- Jun 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23792 third-party-advisory
- https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80 third-party-advisory
- https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23792 third-party-advisory