CVE-2014-3574

CWE-20 — Improper Input Validation9 documents7 sources

Severity

4.3MEDIUM

EPSS

11.1%

top 6.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache POI

Timeline

PublishedSep 4

Latest updateMay 17

Description

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Mavenorg.apache.poi:poi3.11-beta1 — 3.11-beta2+1

▶Debianlibapache-poi-java< 3.10.1-1+3

▶NVDapache/poi3.10+37

Patches

Patch: lucene.apache.org ↗Patch: lucene.apache.org ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache POI↗2022-05-17

▶

OSV

Improper Input Validation in Apache POI↗2022-05-17

▶

CVEList

CVE-2014-3574: Apache POI before 3↗2014-09-04

▶

OSV

CVE-2014-3574: Apache POI before 3↗2014-09-04

▶

📋Vendor Advisories

Red Hat

apache-poi: entity expansion (billion laughs) flaw↗2014-08-18

▶

Debian

CVE-2014-3574: libapache-poi-java - Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to...↗2014

▶

💬Community

Bugzilla

CVE-2014-3574 CVE-2014-3529 apache-poi: various flaws [fedora-all]↗2014-09-04

▶

Bugzilla

CVE-2014-3574 apache-poi: entity expansion (billion laughs) flaw↗2014-09-04

▶