Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.
Vulnerable Library - xlsx-streamer-2.0.0.jar
Streaming Excel reader
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/monitorjbl/xlsx-streamer/2.0.0/xlsx-streamer-2.0.0.jar
Vulnerabilities
Reachable
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-23640
### Vulnerable Library - xlsx-streamer-2.0.0.jarStreaming Excel reader
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/monitorjbl/xlsx-streamer/2.0.0/xlsx-streamer-2.0.0.jar
Dependency Hierarchy: - :x: **xlsx-streamer-2.0.0.jar** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.othervulns.xlsxStreamerXXE (Application) -> com.monitorjbl.xlsx.StreamingReader (Extension) -> com.monitorjbl.xlsx.impl.StreamingWorkbookReader (Extension) -> ❌ com.monitorjbl.xlsx.XmlUtils (Vulnerable Component) ``` ### Vulnerability DetailsExcel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.
Publish Date: 2022-03-02
URL: CVE-2022-23640
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23640
Release Date: 2022-03-02
Fix Resolution: 2.1.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules