Description

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Remediation

References

http://poi.apache.org/changes.html

http://rhn.redhat.com/errata/RHSA-2014-1370.html

http://rhn.redhat.com/errata/RHSA-2014-1398.html

http://rhn.redhat.com/errata/RHSA-2014-1399.html

http://rhn.redhat.com/errata/RHSA-2014-1400.html

http://secunia.com/advisories/59943

http://secunia.com/advisories/60419

http://secunia.com/advisories/61766

http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt

http://www.securityfocus.com/bid/69647

http://www.securityfocus.com/bid/78018

http://www-01.ibm.com/support/docview.wss?uid=swg21996759

https://exchange.xforce.ibmcloud.com/vulnerabilities/95770

https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations

Related Vulnerabilities

CVE-2022-36882 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-base

CVE-2010-1330 Vulnerability in maven package org.jruby.jcodings:jcodings

CVE-2020-9492 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs-client

CVE-2023-37478 Vulnerability in npm package @pnpm/linux-arm64

Severity

Critical

Tags

Vendor Advisory NVD-CWE-Other