CVE-2021-44550 in CoreNLP
Summary
by MITRE • 02/24/2022
An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/26/2022
The vulnerability identified as CVE-2021-44550 represents a critical Incorrect Access Control flaw within Stanford CoreNLP version 4.3.2, specifically manifesting in the NERServlet.java component at lines 158 and 159. This issue arises from insufficient authorization checks within the named entity recognition service, creating a pathway for unauthorized access to sensitive classification functionality. The vulnerability stems from the application's failure to properly validate user permissions before granting access to the classifier endpoint, which processes natural language text to identify and categorize named entities such as persons, organizations, and locations. This misconfiguration allows any remote attacker to potentially exploit the service without proper authentication, undermining the fundamental security principles of access control and privilege management.
The technical implementation of this vulnerability occurs within the NERServlet.java file where the classifier service is exposed without adequate access restrictions. The flaw manifests when the application processes incoming requests to the named entity recognition endpoint, failing to verify whether the requesting entity possesses appropriate authorization levels to access the classification functionality. This misconfiguration creates a scenario where malicious actors can submit arbitrary inputs to the classifier service, potentially leading to information disclosure, denial of service attacks, or unauthorized data processing. The vulnerability specifically affects the HTTP servlet implementation that handles named entity recognition requests, where the access control logic is bypassed or improperly enforced, allowing unauthenticated users to leverage the core classification capabilities of the CoreNLP framework.
From an operational standpoint, this vulnerability presents significant risks to organizations deploying CoreNLP services in production environments. The impact extends beyond simple unauthorized access to potentially enable more sophisticated attacks including data exfiltration, service disruption, and potential compromise of downstream systems that rely on the processed entity recognition data. Attackers could exploit this vulnerability to perform large-scale text analysis operations, potentially consuming excessive computational resources and causing denial of service conditions for legitimate users. The vulnerability's severity is amplified when CoreNLP is deployed in cloud environments or containerized applications where the service may be exposed to untrusted networks, making it particularly dangerous in multi-tenant or public-facing deployments. Organizations utilizing the named entity recognition capabilities for sensitive data processing face heightened risk of unauthorized data access and processing without proper oversight.
Mitigation strategies for CVE-2021-44550 should prioritize immediate patching of the CoreNLP framework to version 4.3.3 or later, which contains the necessary access control fixes. Network-level protections should be implemented through firewall rules and access control lists that restrict access to the NERServlet endpoint to trusted IP addresses and authorized users only. Additional security measures include implementing proper authentication mechanisms such as API keys, OAuth tokens, or other credential-based access controls before allowing access to the named entity recognition service. Organizations should also consider deploying application firewalls or web application firewalls that can monitor and filter traffic to the vulnerable endpoint, providing an additional layer of protection against unauthorized access attempts. The vulnerability aligns with CWE-284, which specifically addresses Improper Access Control, and maps to ATT&CK technique T1078 for Valid Accounts and T1566 for Phishing, highlighting the potential for credential theft and social engineering attacks that could exploit this access control weakness. Regular security auditing and penetration testing of CoreNLP deployments should be conducted to identify similar access control vulnerabilities in other components of the framework, ensuring comprehensive protection against unauthorized access to sensitive text processing capabilities.