CVE-2014-3529

CWE-611 — XML External Entity (XXE)9 documents7 sources

Severity

4.3MEDIUM

EPSS

5.2%

top 10.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache POI

Timeline

PublishedSep 4

Latest updateMay 17

Description

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.poi:poi< 3.10.1

▶Debianlibapache-poi-java< 3.10.1-1+3

▶NVDapache/poi3.10+36

🔴Vulnerability Details

OSV

Improper Restriction of XML External Entity Reference in Apache POI↗2022-05-17

▶

GHSA

Improper Restriction of XML External Entity Reference in Apache POI↗2022-05-17

▶

CVEList

CVE-2014-3529: The OPC SAX setup in Apache POI before 3↗2014-09-04

▶

OSV

CVE-2014-3529: The OPC SAX setup in Apache POI before 3↗2014-09-04

▶

📋Vendor Advisories

Red Hat

apache-poi: XML eXternal Entity (XXE) flaw↗2014-08-18

▶

Debian

CVE-2014-3529: libapache-poi-java - The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read ar...↗2014

▶

💬Community

Bugzilla

CVE-2014-3574 CVE-2014-3529 apache-poi: various flaws [fedora-all]↗2014-09-04

▶

Bugzilla

CVE-2014-3529 apache-poi: XML eXternal Entity (XXE) flaw↗2014-09-04

▶