CVE-2021-47621
XML External Entity (XXE) vulnerability in classgraph (Maven)
What is CVE-2021-47621 About?
ClassGraph before 4.8.112 was vulnerable to XML External Entity (XXE) attacks. This allows an attacker to read local files, execute external commands, or perform SSRF by injecting malicious entity definitions into XML documents processed by ClassGraph. Exploitation is moderately complex, requiring the ability to supply crafted XML input and specific XML parser configurations.
Affected Software
Technical Details
The vulnerability in ClassGraph before 4.8.112 stems from its XML parser not being resistant to XML External Entity (XXE) attacks. When ClassGraph parses XML documents, it allows the processing of external entity declarations. An attacker can craft a malicious XML document containing an ENTITY declaration that refers to external resources (e.g., <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>). When ClassGraph processes this crafted XML, the parser will resolve the external entity, leading to the inclusion of content from arbitrary local files, execution of external commands (via php://filter or expect:// protocols depending on environment), or Server-Side Request Forgery (SSRF) if it processes remote URLs, thereby exposing sensitive information or compromising the system.
What is the Impact of CVE-2021-47621?
Successful exploitation may allow attackers to read arbitrary local files, disclose sensitive information, perform Server-Side Request Forgery (SSRF), or potentially execute arbitrary code on the server.
What is the Exploitability of CVE-2021-47621?
Exploitation of this XXE vulnerability has moderate complexity. It requires an attacker to be able to supply specially crafted XML input to the application that uses ClassGraph for XML parsing. There are typically no specific authentication or privilege requirements beyond whatever is needed to interact with the XML input-processing functionality. It can be exploited remotely if the application accepts XML input from external sources. The primary special condition is that the XML parser configuration within ClassGraph must not have external entity processing disabled by default. The likelihood of exploitation increases if the application extensively processes untrusted XML data or configuration files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-47621?
About the Fix from Resolved Security
This patch mitigates XML External Entity (XXE) attacks by configuring the DocumentBuilderFactory and XPathFactory with secure processing features and disabling external entity loading. By preventing the parsing of external DTDs and schemas, it protects against XXE vulnerabilities such as CVE-2021-47621, which could allow an attacker to read arbitrary files or perform denial-of-service attacks via crafted XML input.
Available Upgrade Options
- io.github.classgraph:classgraph
- <4.8.112 → Upgrade to 4.8.112
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-47621
- https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3
- https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html
- https://github.com/classgraph/classgraph/pull/539
- https://github.com/classgraph/classgraph
- https://osv.dev/vulnerability/GHSA-v2xm-76pq-phcf
- https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112
- https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3
- https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html
- https://github.com/classgraph/classgraph/pull/539
What are Similar Vulnerabilities to CVE-2021-47621?
Similar Vulnerabilities: CVE-2021-26297 , CVE-2021-42392 , CVE-2022-22947 , CVE-2020-17530 , CVE-2019-10020
