Description

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Remediation

References

http://poi.apache.org/changes.html

https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations

http://secunia.com/advisories/60419

http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt

http://www.securityfocus.com/bid/69647

http://rhn.redhat.com/errata/RHSA-2014-1398.html

http://rhn.redhat.com/errata/RHSA-2014-1399.html

http://rhn.redhat.com/errata/RHSA-2014-1400.html

http://rhn.redhat.com/errata/RHSA-2014-1370.html

http://secunia.com/advisories/59943

http://secunia.com/advisories/61766

http://www.securityfocus.com/bid/78018

http://www-01.ibm.com/support/docview.wss?uid=swg21996759

https://exchange.xforce.ibmcloud.com/vulnerabilities/95770

Related Vulnerabilities

CVE-2020-1960 Vulnerability in maven package org.apache.flink:flink-metrics-jmx

CVE-2019-1003010 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2019-10395 Vulnerability in maven package org.jenkins-ci.plugins:build-environment

CVE-2018-12544 Vulnerability in maven package io.vertx:vertx-web-api-contract

CVE-2014-3502 Vulnerability in npm package cordova-android

Severity

Critical

Tags

Vendor Advisory NVD-CWE-Other