CVE-2023-39020: 
Java vulnerability analysis and mitigation

Stanford Parser version 3.9.2 and below contains a code injection vulnerability in the component edu.stanford.nlp.io.getBZip2PipedInputStream. The vulnerability was discovered and disclosed on July 28, 2023, and affects the Stanford Parser Java library. The vulnerability has been assigned CVE-2023-39020 and received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD, FortiGuard).

The vulnerability exists in the edu.stanford.nlp.io.IOUtils.java file, specifically in the getBZip2PipedInputStream method. The vulnerability occurs when the method fails to properly validate an unchecked argument, which can lead to arbitrary command execution. The vulnerability can be exploited by manipulating the 'bzcat' system property to execute arbitrary commands (GitHub POC).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code via passing an unchecked argument to the affected component. Given the CVSS score of 9.8, this represents a critical security risk that could lead to complete system compromise (NVD).

The recommended mitigation is to strictly check whether System.getProperty('bzcat', 'bzcat') returns the legitimate path of the bzcat executable. Users should upgrade to a version newer than 3.9.2 if available (GitHub POC).