CVE-2017-5644

CWE-776 — XML Entity Expansion (Billion Laughs)8 documents6 sources

Severity

5.5MEDIUM

EPSS

0.7%

top 28.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache POI Apache Software Foundation Apache POI

Timeline

PublishedMar 24

Latest updateMay 13

Description

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.poi:poi< 3.15

▶Debianlibapache-poi-java< 3.17-1+3

▶NVDapache/poi3.14

▶CVEListV5apache_software_foundation/apache_poibefore 3.15

🔴Vulnerability Details

OSV

Improper Restriction of Recursive Entity References in DTDs in Apache POI↗2022-05-13

▶

GHSA

Improper Restriction of Recursive Entity References in DTDs in Apache POI↗2022-05-13

▶

OSV

CVE-2017-5644: Apache POI in versions prior to release 3↗2017-03-24

▶

CVEList

CVE-2017-5644: Apache POI in versions prior to release 3↗2017-03-24

▶

📋Vendor Advisories

Debian

CVE-2017-5644: libapache-poi-java - Apache POI in versions prior to release 3.15 allows remote attackers to cause a ...↗2017

▶

💬Community

Bugzilla

CVE-2017-5644 apache-poi: XML entity expansion via specially crafted OOXML file [fedora-all]↗2017-03-21

▶

Bugzilla

CVE-2017-5644 apache-poi: XML entity expansion via specially crafted OOXML file↗2017-03-21

▶