Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Jul 2016 19:18:13 +0000 (UTC)
From: Tim Allison <tallison@...che.org>
To: "security@...che.org" <security@...che.org>, 
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, 
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, 
	"dev@....apache.org" <dev@....apache.org>, 
	"user@....apache.org" <user@....apache.org>
Subject: [CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache
 POI's XLSX2CSV Example

CVE-2016-5000: XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example 

Severity: Important 

Vendor: The Apache Software Foundation 

Versions Affected: POI 3.5-3.13 

Description: 

Apache POI's XLSX2CSV example uses Java's XML components to parse OpenXML files. Applications and users that use XLSX2CSV and accept such files from end-users are vulnerable to XML External Entity (XXE) attacks, which allow remote attackers to bypass security restrictions and read arbitrary files via a crafted OpenXML document that provides an XML external entity declaration in conjunction with an entity reference.

Mitigation: Upgrade to 3.14 or higher 


Credit: This issue was discovered by Mauro Gentile of Minded Security.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.