CVE-2014-3574

Опубликовано: 18 авг. 2014

Источник: redhat

CVSS2: 5

EPSS Средний

Описание

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

It was found that Apache POI would expand an unlimited number of entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to trigger a denial of service attack via excessive CPU and memory consumption.

Отчет

Red Hat Product Security has determined that CVE-2014-3574 is not exploitable by default in JBoss Portal Platform as provided by Red Hat. This flaw would only be exploitable if the Apache POI library provided by JBoss Portal Platform were used by a custom application to process user-supplied XML documents.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat BPM Suite 6	apache-poi	Affected
Red Hat Enterprise Virtualization 3	jasperreports-server-pro	Affected
Red Hat JBoss BRMS 5	apache-poi	Will not fix
Red Hat JBoss BRMS 6	apache-poi	Affected
Red Hat JBoss Portal 5	apache-poi	Will not fix
Red Hat JBoss SOA Platform 4	apache-poi	Will not fix
Red Hat Satellite 5.3	apache-poi	Will not fix
Red Hat Satellite 5.4	apache-poi	Will not fix
Red Hat Satellite 5.5	apache-poi	Will not fix
Red Hat Satellite 5.6	apache-poi	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1138140apache-poi: entity expansion (billion laughs) flaw

EPSS

Процентиль: 93%

0.11114

Средний

5 Medium

CVSS2

Связанные уязвимости

CVE-2014-3574

ubuntu

больше 11 лет назад

CVE-2014-3574

nvd

больше 11 лет назад

CVE-2014-3574

debian

больше 11 лет назад

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote at ...

GHSA-5wfp-8643-c58x

github

больше 3 лет назад

Improper Input Validation in Apache POI

EPSS

Процентиль: 93%

0.11114

Средний

5 Medium

CVSS2