CVE-2021-3878
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-3878
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3878.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-3878
- Aliases
- Published
- 2021-10-15T14:15:07.857Z
- Modified
- 2025-11-19T17:35:39.910622Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
- References
Affected packages
Git / github.com/stanfordnlp/corenlp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/stanfordnlp/corenlp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
"deprecated": false,
"target": {
"file": "src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java",
"function": "createPatternXMLDoc"
},
"id": "CVE-2021-3878-7229d502",
"signature_type": "Function",
"digest": {
"function_hash": "291074622600642610157368812944203434980",
"length": 1586.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
"deprecated": false,
"target": {
"file": "src/edu/stanford/nlp/ie/machinereading/common/DomReader.java",
"function": "readDocument"
},
"id": "CVE-2021-3878-9813aae8",
"signature_type": "Function",
"digest": {
"function_hash": "113266199536841263999060233615632176269",
"length": 526.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
"deprecated": false,
"target": {
"file": "src/edu/stanford/nlp/ie/machinereading/common/DomReader.java"
},
"id": "CVE-2021-3878-9c0c6d9b",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"43520721332826866978081389765769837818",
"311326111611860079278883770771580253757",
"284015593708485329815509971555724572621",
"201299330372787746440815065572931448919",
"174143996608599779934398090899519012840",
"171895115847832278626512948996122655481",
"27544422830202180997671230688218298402"
]
}
},
{
"signature_version": "v1",
"source": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
"deprecated": false,
"target": {
"file": "src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java",
"function": "readFromFile"
},
"id": "CVE-2021-3878-c184250c",
"signature_type": "Function",
"digest": {
"function_hash": "195774482806396804331330397921589092113",
"length": 863.0
}
},
{
"signature_version": "v1",
"source": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
"deprecated": false,
"target": {
"file": "src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java"
},
"id": "CVE-2021-3878-ef0b7437",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"32642060372119981804040651553716705297",
"126711288501821075352997964835856383955",
"272376512348212872158334304444166236833",
"340094259709667466320011249881867189768",
"31381996387163615903366194365175756201",
"161628023665971883443317856409843048974",
"338514437842053370218888284440184446337",
"249535337310361220095059048906446184235",
"22625991252588605524146076067212119259",
"239472623923091145564852860362663353398",
"167865824011085792938949664764790814940",
"313494352930947755695683903344783533648"
]
}
}
]