We use cookies to improve your experience on our site.
AVID-2026-R0932
Description
Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp (CVE-2022-0198)
Details
corenlp is vulnerable to Improper Restriction of XML External Entity Reference
Reason for inclusion in AVID: CVE-2022-0198 affects stanfordnlp/corenlp, a library used in NLP/AI pipelines. This is a software vulnerability in a dependency that can impact AI systems built, trained, or deployed with such tooling, fulfilling the software supply chain relevance for GP AI stacks. The CVE description, CWE-611, and references (NVD entry, commit) provide clear vulnerability and evidence.
References
- NVD entry
- https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763
- https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d
Affected or Relevant Artifacts
- Developer: stanfordnlp
- Deployer: stanfordnlp
- Artifact Details:
| Type | Name |
|---|---|
| System | stanfordnlp/corenlp |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
| Base Score | 6.1 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🟢 Low |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-611 | CWE-611 Improper Restriction of XML External Entity Reference |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-01-13
- Version: 0.3.3
- AVID Entry