CVE-2021-3869

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-3869
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3869.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-3869
Aliases
Published
2021-10-19T13:15:11.773Z
Modified
2026-04-11T21:23:15.214954Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

References

Affected packages

Git / github.com/stanfordnlp/corenlp

Affected ranges

Type
GIT
Repo
https://github.com/stanfordnlp/corenlp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
147e45894f007caf7dd5c7f7677bcfcf95a38e94
Fixed
5d83f1e8482ca304db8be726cad89554c88f136a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.3.0"
        }
    ]
}

Affected versions

v1.*
v1.3.5
v1.3.6
v3.*
v3.3.0
v3.3.1
v3.4.0
v3.4.1
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.7.0
v3.8.0
v3.9.1
v3.9.2
v3.9.2b
v4.*
v4.1.0
v4.2.0
v4.2.2
v4.3.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3869.json"
vanir_signatures_modified 
"2026-04-11T21:23:15Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "282228415339455438273734548232919417045",
            "length": 211.0
        },
        "id": "CVE-2021-3869-03736584",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "readDocumentFromString"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "339539532999718011766812238207211020505",
            "length": 974.0
        },
        "id": "CVE-2021-3869-0b9d4f2e",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "getTagElementTriplesFromFileNumBoundedSAXException"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "133618988560491517863661952410748659093",
            "length": 267.0
        },
        "id": "CVE-2021-3869-0f321a2a",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "readDocumentFromFile"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "57875381660395587146500002792859507625",
            "length": 839.0
        },
        "id": "CVE-2021-3869-288456af",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "getValidatingXmlParser"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "113721122306961811307245648912784140951",
                "15380452587329287648139737907248756542",
                "67261017168127998554694966176536520105",
                "82236319493109517157520277073675849847",
                "72099698087150977088053670808564442814",
                "140280342361643877020607900895017066103",
                "176175501865156546835651553731543194374",
                "131018909406202936379328885969984351084",
                "130652315381450011727468856986671065747",
                "140280342361643877020607900895017066103",
                "176175501865156546835651553731543194374",
                "314058722991527430007903051163367355872",
                "114923087756976839571355317777718125208",
                "140280342361643877020607900895017066103",
                "176175501865156546835651553731543194374",
                "288204655518965274734603104663230841055",
                "35688767085801854987539247536046927413",
                "213972472363990541398999870938382036360",
                "84590011855248043900451544782037181067",
                "176504653225379522938058681059997409753",
                "82315799528386862952629269159980388374",
                "258465410988051223891552779164057422124",
                "236505832634362512688958274748043291174",
                "271343112764026587792505873989817992095",
                "213756788319461207989688851556298405952",
                "179161810648301094875019735716629057721",
                "120001685974256268313882429731009057167",
                "255524276254612195828047085873515440046",
                "27556299056242409823784886435869375651",
                "181697664564629601600919907052829826187",
                "340237840694337195563965595212234174254"
            ]
        },
        "id": "CVE-2021-3869-47d2fb68",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "97708914565267883729877422803920359090",
            "length": 853.0
        },
        "id": "CVE-2021-3869-4f9e6373",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "getTextContentFromTagsFromFileSAXException"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "141040611034541970636184340523254228131",
            "length": 262.0
        },
        "id": "CVE-2021-3869-8e366bfb",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/time/XMLUtils.java",
            "function": "parseElement"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "191152860695934471935233419423974690325",
                "312008131744248285121188310548798799410",
                "162011497828968531108310790939962780940",
                "76589103331221181946981564661371888675",
                "227888927651163007866069655212143990451",
                "289723381403125099761902686883332123565",
                "176677960171810263803004843855572462575",
                "54288892236125364699576036506607470091",
                "180752849411623004677800510525005492403",
                "159792508167345579893610196532019324736"
            ]
        },
        "id": "CVE-2021-3869-a5d9e4b4",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/time/XMLUtils.java"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "317754328735163369111994239802752733032",
            "length": 724.0
        },
        "id": "CVE-2021-3869-bab5fc67",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "getXmlParser"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "132369660363934791855361247269377252760",
            "length": 197.0
        },
        "id": "CVE-2021-3869-bda732d7",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/time/XMLUtils.java",
            "function": "createDocument"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
        "digest": {
            "function_hash": "294075203263025272792390295018518329801",
            "length": 525.0
        },
        "id": "CVE-2021-3869-e7629b96",
        "deprecated": false,
        "target": {
            "file": "src/edu/stanford/nlp/util/XMLUtils.java",
            "function": "getTagElementsFromFileSAXException"
        }
    }
]