What is the severity of CVE-2014-3529?

CVE-2014-3529 is rated as a medium severity vulnerability.

How do I fix CVE-2014-3529?

To fix CVE-2014-3529, update Apache POI to version 3.10.1 or higher.

What impact does CVE-2014-3529 have?

CVE-2014-3529 allows a remote attacker to read files accessible to the user running the application server.

Which versions of Apache POI are affected by CVE-2014-3529?

Apache POI versions prior to 3.10.1 and those above 3.10 but below 3.11 are affected by CVE-2014-3529.

Is CVE-2014-3529 found in both maven and redhat packages?

Yes, CVE-2014-3529 affects both the maven package org.apache.poi:poi and the redhat package apache-poi-ooxml.

Vulnerability/
CVE-2014-3529

medium

4.3

CWE

611

18/8/2014

4/9/2014

17/5/2022

6/8/2024

CVE-2014-3529: XEE

First published: Mon Aug 18 2014(Updated: )

IssueDescription: It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/apache-poi-ooxml	<3.10.1	3.10.1
redhat/apache-poi-ooxml	<3.11	3.11
Apache POI	<=3.10
Apache POI	=0.1
Apache POI	=0.2
Apache POI	=0.3
Apache POI	=0.4
Apache POI	=0.5
Apache POI	=0.6
Apache POI	=0.7
Apache POI	=0.10.0
Apache POI	=0.11.0
Apache POI	=0.12.0
Apache POI	=0.13.0
Apache POI	=0.14.0
Apache POI	=1.0.0
Apache POI	=1.0.1
Apache POI	=1.0.2
Apache POI	=1.1.0
Apache POI	=1.2.0
Apache POI	=1.5
Apache POI	=1.5.1
Apache POI	=1.7-dev
Apache POI	=1.8-dev
Apache POI	=1.10-dev
Apache POI	=2.0
Apache POI	=2.0-pre1
Apache POI	=2.0-pre2
Apache POI	=2.0-pre3
Apache POI	=2.0-rc1
Apache POI	=2.0-rc2
Apache POI	=2.5
Apache POI	=2.5.1
Apache POI	=3.0
Apache POI	=3.0-alpha1
Apache POI	=3.0-alpha2
Apache POI	=3.0-alpha3
Apache POI	=3.0.1
Apache POI	=3.0.2
Apache POI	=3.0.2-beta1
Apache POI	=3.0.2-beta2
Apache POI	=3.1
Apache POI	=3.1-beta1
Apache POI	=3.1-beta2
Apache POI	=3.2
Apache POI	=3.5
Apache POI	=3.5-beta1
Apache POI	=3.5-beta2
Apache POI	=3.5-beta3
Apache POI	=3.5-beta4
Apache POI	=3.5-beta5
Apache POI	=3.5-beta6
Apache POI	=3.6
Apache POI	=3.7
Apache POI	=3.7-beta1
Apache POI	=3.7-beta2
Apache POI	=3.7-beta3
Apache POI	=3.8
Apache POI	=3.8-beta1
Apache POI	=3.8-beta2
Apache POI	=3.8-beta3
Apache POI	=3.8-beta4
Apache POI	=3.8-beta5
Apache POI	=3.9
Apache POI	=3.10-beta1
Apache POI	=3.10-beta2
maven/org.apache.poi:poi	<3.10.1	3.10.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2014-3529?
CVE-2014-3529 is rated as a medium severity vulnerability.
How do I fix CVE-2014-3529?
To fix CVE-2014-3529, update Apache POI to version 3.10.1 or higher.
What impact does CVE-2014-3529 have?
CVE-2014-3529 allows a remote attacker to read files accessible to the user running the application server.
Which versions of Apache POI are affected by CVE-2014-3529?
Apache POI versions prior to 3.10.1 and those above 3.10 but below 3.11 are affected by CVE-2014-3529.
Is CVE-2014-3529 found in both maven and redhat packages?
Yes, CVE-2014-3529 affects both the maven package org.apache.poi:poi and the redhat package apache-poi-ooxml.

collector/redhat-cve
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-q56h-jjj6-52mf
alias/CVE-2014-3529
agent/software-canonical-lookup
agent/severity
agent/references
agent/weakness
agent/author
agent/description
collector/nvd-cve
source/NVD
agent/softwarecombine
collector/github-advisory
collector/redhat-bugzilla
source/Red Hat
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/tags
agent/source
vendor/apache
canonical/apache poi
version/apache poi/3.10
version/apache poi/0.1
version/apache poi/0.2
version/apache poi/0.3
version/apache poi/0.4
version/apache poi/0.5
version/apache poi/0.6
version/apache poi/0.7
version/apache poi/0.10.0
version/apache poi/0.11.0
version/apache poi/0.12.0
version/apache poi/0.13.0
version/apache poi/0.14.0
version/apache poi/1.0.0
version/apache poi/1.0.1
version/apache poi/1.0.2
version/apache poi/1.1.0
version/apache poi/1.2.0
version/apache poi/1.5
version/apache poi/1.5.1
version/apache poi/1.7-dev
version/apache poi/1.8-dev
version/apache poi/1.10-dev
version/apache poi/2.0
version/apache poi/2.0-pre1
version/apache poi/2.0-pre2
version/apache poi/2.0-pre3
version/apache poi/2.0-rc1
version/apache poi/2.0-rc2
version/apache poi/2.5
version/apache poi/2.5.1
version/apache poi/3.0
version/apache poi/3.0-alpha1
version/apache poi/3.0-alpha2
version/apache poi/3.0-alpha3
version/apache poi/3.0.1
version/apache poi/3.0.2
version/apache poi/3.0.2-beta1
version/apache poi/3.0.2-beta2
version/apache poi/3.1
version/apache poi/3.1-beta1
version/apache poi/3.1-beta2
version/apache poi/3.2
version/apache poi/3.5
version/apache poi/3.5-beta1
version/apache poi/3.5-beta2
version/apache poi/3.5-beta3
version/apache poi/3.5-beta4
version/apache poi/3.5-beta5
version/apache poi/3.5-beta6
version/apache poi/3.6
version/apache poi/3.7
version/apache poi/3.7-beta1
version/apache poi/3.7-beta2
version/apache poi/3.7-beta3
version/apache poi/3.8
version/apache poi/3.8-beta1
version/apache poi/3.8-beta2
version/apache poi/3.8-beta3
version/apache poi/3.8-beta4
version/apache poi/3.8-beta5
version/apache poi/3.9
version/apache poi/3.10-beta1
version/apache poi/3.10-beta2
package-manager/maven
package-manager/redhat