Date: Fri, 22 Jul 2016 19:18:13 +0000 (UTC) From: Tim Allison <tallison@...che.org> To: "security@...che.org" <security@...che.org>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "dev@....apache.org" <dev@....apache.org>, "user@....apache.org" <user@....apache.org> Subject: [CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example CVE-2016-5000: XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example Severity: Important Vendor: The Apache Software Foundation Versions Affected: POI 3.5-3.13 Description: Apache POI's XLSX2CSV example uses Java's XML components to parse OpenXML files. Applications and users that use XLSX2CSV and accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allow remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference. Mitigation: Upgrade to 3.14 or higher Credit: This issue was discovered by Mauro Gentile of Minded Security.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.