CVE-2021-23792

Name of the Vulnerable Software and Affected Versions com.twelvemonkeys.imageio:imageio-metadata versions prior to 3.7.1

Description The issue is related to an insecurely initialized XML parser for reading XMP Metadata, which can lead to XML External Entity (XXE) Injection. An attacker can exploit this by supplying a file with a malicious XMP segment, such as when an online profile picture is processed. If the XMP metadata of the uploaded image is parsed, the XXE vulnerability is triggered.

Recommendations For versions prior to 3.7.1, update to version 3.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the processing of XMP metadata from untrusted sources until a patch is applied. Avoid using insecurely initialized XML parsers for reading XMP Metadata to minimize the risk of exploitation.