dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-1000632
### Vulnerable Library - dom4j-1.6.1.jardom4j: the flexible XML framework for Java
Library home page: http://sourceforge.net/projects/dom4j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy: - poi-ooxml-3.9.jar (Root Library) - :x: **dom4j-1.6.1.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.XXE (Application) -> org.dom4j.io.SAXReader (Extension) -> org.dom4j.DocumentFactory (Extension) -> ❌ org.dom4j.tree.QNameCache (Vulnerable Component) ``` ### Vulnerability Detailsdom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632/
Release Date: 2018-08-20
Fix Resolution (dom4j:dom4j): 20040902.021138
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2019-12415
### Vulnerable Library - poi-ooxml-3.9.jarApache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy: - :x: **poi-ooxml-3.9.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.othervulns.ooxmlXXE (Application) -> org.apache.poi.xssf.usermodel.XSSFCell (Extension) -> org.apache.poi.xssf.model.StylesTable (Extension) -> org.apache.poi.openxml4j.opc.OPCPackage (Extension) -> ❌ org.apache.poi.openxml4j.opc.StreamHelper (Vulnerable Component) ``` ### Vulnerability DetailsIn Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
In order to enable automatic remediation, please create workflow rules
CVE-2017-5644
### Vulnerable Library - poi-ooxml-3.9.jarApache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy: - :x: **poi-ooxml-3.9.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.othervulns.ooxmlXXE (Application) -> org.apache.poi.xssf.usermodel.XSSFSheet (Extension) -> ❌ org.apache.poi.xssf.usermodel.XSSFVMLDrawing (Vulnerable Component) ``` ### Vulnerability DetailsApache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2017-03-24
URL: CVE-2017-5644
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.4000001%
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5644
Release Date: 2017-03-24
Fix Resolution: 3.15-beta1
In order to enable automatic remediation, please create workflow rules
CVE-2014-3574
### Vulnerable Library - poi-ooxml-3.9.jarApache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy: - :x: **poi-ooxml-3.9.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.othervulns.ooxmlXXE (Application) -> org.apache.poi.xssf.usermodel.XSSFCell (Extension) -> ❌ org.apache.poi.xssf.model.SharedStringsTable (Vulnerable Component) ``` ### Vulnerability DetailsApache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2014-09-04
URL: CVE-2014-3574
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 1.6%
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
Release Date: 2014-09-04
Fix Resolution: 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2014-3529
### Vulnerable Library - poi-ooxml-3.9.jarApache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy: - :x: **poi-ooxml-3.9.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.othervulns.ooxmlXXE (Application) -> org.apache.poi.xssf.usermodel.XSSFWorkbook (Extension) -> org.apache.poi.openxml4j.opc.PackagePart (Extension) -> org.apache.poi.openxml4j.opc.ZipPackagePart (Extension) -> org.apache.poi.openxml4j.opc.ZipPackage (Extension) -> ❌ org.apache.poi.openxml4j.opc.internal.ContentTypeManager (Vulnerable Component) ``` ### Vulnerability DetailsThe OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Publish Date: 2014-09-04
URL: CVE-2014-3529
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
Release Date: 2014-09-04
Fix Resolution: 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2020-10683
### Vulnerable Library - dom4j-1.6.1.jardom4j: the flexible XML framework for Java
Library home page: http://sourceforge.net/projects/dom4j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy: - poi-ooxml-3.9.jar (Root Library) - :x: **dom4j-1.6.1.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability Detailsdom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Publish Date: 2020-05-01
URL: CVE-2020-10683
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.70000005%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-05-01
Fix Resolution (dom4j:dom4j): 20040902.021138
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-23926
### Vulnerable Library - xmlbeans-2.3.0.jarXmlBeans main jar
Library home page: http://xmlbeans.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlbeans/xmlbeans/2.3.0/xmlbeans-2.3.0.jar
Dependency Hierarchy: - poi-ooxml-3.9.jar (Root Library) - poi-ooxml-schemas-3.9.jar - :x: **xmlbeans-2.3.0.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThe XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Publish Date: 2021-01-14
URL: CVE-2021-23926
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23926
Release Date: 2021-01-14
Fix Resolution (org.apache.xmlbeans:xmlbeans): 3.0.0
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 3.10.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules