Headline
CVE-2021-44550: Header Manipulation · Issue #1222 · stanfordnlp/CoreNLP
An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).
String classifier = request.getParameter(“classifier”);
if (classifier == null || classifier.trim().isEmpty()) {
classifier = this.defaultClassifier;
}
response.addHeader("classifier", classifier);
response.addHeader("outputFormat", outputFormat);
response.addHeader("preserveSpacing", String.valueOf(preserveSpacing));
We found ‘classifier’ may be contaminated on line 152 of NERServlet.java.java.Including unvalidated data in an HTTP response header can enable cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect…It will affect on line 157 of NERServlet.java.Lines 158 and 159 have similar problems.