Description

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Remediation

References

http://poi.apache.org/changes.html

http://rhn.redhat.com/errata/RHSA-2014-1370.html

http://rhn.redhat.com/errata/RHSA-2014-1398.html

http://rhn.redhat.com/errata/RHSA-2014-1399.html

http://rhn.redhat.com/errata/RHSA-2014-1400.html

http://secunia.com/advisories/59943

http://secunia.com/advisories/60419

http://secunia.com/advisories/61766

http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt

http://www.securityfocus.com/bid/69647

http://www.securityfocus.com/bid/78018

http://www-01.ibm.com/support/docview.wss?uid=swg21996759

https://exchange.xforce.ibmcloud.com/vulnerabilities/95770

https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations

Related Vulnerabilities

CVE-2022-29251 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-theme-ui

CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso

CVE-2019-0205 Vulnerability in maven package org.apache.thrift:libthrift

CVE-2013-4152 Vulnerability in maven package org.springframework:spring-oxm

CVE-2023-37944 Vulnerability in maven package org.datadog.jenkins.plugins:datadog

Severity

Critical

Tags

Vendor Advisory NVD-CWE-Other