CVE-2014-3529: XEE
First published: Mon Aug 18 2014(Updated: )
IssueDescription: It was found that Apache POI would resolve entities in OOXML documents. A remote attacker able to supply OOXML documents that are parsed by Apache POI could use this flaw to read files accessible to the user running the application server, and potentially perform more advanced XML External Entity (XXE) attacks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/apache-poi-ooxml | <3.10.1 | 3.10.1 |
| redhat/apache-poi-ooxml | <3.11 | 3.11 |
| Apache POI | <=3.10 | |
| Apache POI | =0.1 | |
| Apache POI | =0.2 | |
| Apache POI | =0.3 | |
| Apache POI | =0.4 | |
| Apache POI | =0.5 | |
| Apache POI | =0.6 | |
| Apache POI | =0.7 | |
| Apache POI | =0.10.0 | |
| Apache POI | =0.11.0 | |
| Apache POI | =0.12.0 | |
| Apache POI | =0.13.0 | |
| Apache POI | =0.14.0 | |
| Apache POI | =1.0.0 | |
| Apache POI | =1.0.1 | |
| Apache POI | =1.0.2 | |
| Apache POI | =1.1.0 | |
| Apache POI | =1.2.0 | |
| Apache POI | =1.5 | |
| Apache POI | =1.5.1 | |
| Apache POI | =1.7-dev | |
| Apache POI | =1.8-dev | |
| Apache POI | =1.10-dev | |
| Apache POI | =2.0 | |
| Apache POI | =2.0-pre1 | |
| Apache POI | =2.0-pre2 | |
| Apache POI | =2.0-pre3 | |
| Apache POI | =2.0-rc1 | |
| Apache POI | =2.0-rc2 | |
| Apache POI | =2.5 | |
| Apache POI | =2.5.1 | |
| Apache POI | =3.0 | |
| Apache POI | =3.0-alpha1 | |
| Apache POI | =3.0-alpha2 | |
| Apache POI | =3.0-alpha3 | |
| Apache POI | =3.0.1 | |
| Apache POI | =3.0.2 | |
| Apache POI | =3.0.2-beta1 | |
| Apache POI | =3.0.2-beta2 | |
| Apache POI | =3.1 | |
| Apache POI | =3.1-beta1 | |
| Apache POI | =3.1-beta2 | |
| Apache POI | =3.2 | |
| Apache POI | =3.5 | |
| Apache POI | =3.5-beta1 | |
| Apache POI | =3.5-beta2 | |
| Apache POI | =3.5-beta3 | |
| Apache POI | =3.5-beta4 | |
| Apache POI | =3.5-beta5 | |
| Apache POI | =3.5-beta6 | |
| Apache POI | =3.6 | |
| Apache POI | =3.7 | |
| Apache POI | =3.7-beta1 | |
| Apache POI | =3.7-beta2 | |
| Apache POI | =3.7-beta3 | |
| Apache POI | =3.8 | |
| Apache POI | =3.8-beta1 | |
| Apache POI | =3.8-beta2 | |
| Apache POI | =3.8-beta3 | |
| Apache POI | =3.8-beta4 | |
| Apache POI | =3.8-beta5 | |
| Apache POI | =3.9 | |
| Apache POI | =3.10-beta1 | |
| Apache POI | =3.10-beta2 | |
| maven/org.apache.poi:poi | <3.10.1 | 3.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2014-3529 https://nvd.nist.gov/vuln/detail/CVE-2014-3529
- https://bugzilla.redhat.com/show_bug.cgi?id=1138135
- https://access.redhat.com/errata/RHSA-2014:1399
- https://access.redhat.com/errata/RHSA-2014:1400
- https://access.redhat.com/errata/RHSA-2014:1398
- https://access.redhat.com/errata/RHSA-2014:1370
- https://access.redhat.com/errata/RHSA-2015:1009
- https://access.redhat.com/security/cve/CVE-2014-3529
- http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1138152
- https://issues.apache.org/bugzilla/show_bug.cgi?id=56164
- http://svn.apache.org/viewvc?view=revision&revision=1569991
- http://svn.apache.org/viewvc?view=revision&revision=1589759
- http://svn.apache.org/viewvc?view=revision&revision=1615720
- http://svn.apache.org/viewvc?view=revision&revision=1617849
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3529.yaml
- https://rhn.redhat.com/errata/RHSA-2014-1370.html
- https://rhn.redhat.com/errata/RHSA-2014-1400.html
- https://rhn.redhat.com/errata/RHSA-2014-1399.html
- https://rhn.redhat.com/errata/RHSA-2014-1398.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- http://poi.apache.org/changes.html
- http://rhn.redhat.com/errata/RHSA-2014-1370.html
- http://rhn.redhat.com/errata/RHSA-2014-1398.html
- http://rhn.redhat.com/errata/RHSA-2014-1399.html
- http://rhn.redhat.com/errata/RHSA-2014-1400.html
- http://secunia.com/advisories/59943
- http://secunia.com/advisories/60419
- http://secunia.com/advisories/61766
- http://www-01.ibm.com/support/docview.wss?uid=swg21996759
- http://www.securityfocus.com/bid/69647
- http://www.securityfocus.com/bid/78018
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95770
- https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
- https://nvd.nist.gov/vuln/detail/CVE-2014-3529
- https://github.com/apache/poi/commit/103b45073c7b504236588b3acc146530205af53c
- https://github.com/apache/poi/commit/236c3c52a9b90688b2e57ec503559409e29f33ed
- https://github.com/apache/poi/commit/6050a68d5adfb4ffef1edb778add09bcee32d1c3
- https://github.com/apache/poi/commit/d72bd78c19dfb7b57395a66ae8d9269d59a87bd2
- https://github.com/apache/poi/commit/eabb6a924be24abb879372d0bc967e0d316b2cf8
- https://github.com/advisories/GHSA-q56h-jjj6-52mf (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q56h-jjj6-52mf
- alias/CVE-2014-3529
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache poi
- version/apache poi/3.10
- version/apache poi/0.1
- version/apache poi/0.2
- version/apache poi/0.3
- version/apache poi/0.4
- version/apache poi/0.5
- version/apache poi/0.6
- version/apache poi/0.7
- version/apache poi/0.10.0
- version/apache poi/0.11.0
- version/apache poi/0.12.0
- version/apache poi/0.13.0
- version/apache poi/0.14.0
- version/apache poi/1.0.0
- version/apache poi/1.0.1
- version/apache poi/1.0.2
- version/apache poi/1.1.0
- version/apache poi/1.2.0
- version/apache poi/1.5
- version/apache poi/1.5.1
- version/apache poi/1.7-dev
- version/apache poi/1.8-dev
- version/apache poi/1.10-dev
- version/apache poi/2.0
- version/apache poi/2.0-pre1
- version/apache poi/2.0-pre2
- version/apache poi/2.0-pre3
- version/apache poi/2.0-rc1
- version/apache poi/2.0-rc2
- version/apache poi/2.5
- version/apache poi/2.5.1
- version/apache poi/3.0
- version/apache poi/3.0-alpha1
- version/apache poi/3.0-alpha2
- version/apache poi/3.0-alpha3
- version/apache poi/3.0.1
- version/apache poi/3.0.2
- version/apache poi/3.0.2-beta1
- version/apache poi/3.0.2-beta2
- version/apache poi/3.1
- version/apache poi/3.1-beta1
- version/apache poi/3.1-beta2
- version/apache poi/3.2
- version/apache poi/3.5
- version/apache poi/3.5-beta1
- version/apache poi/3.5-beta2
- version/apache poi/3.5-beta3
- version/apache poi/3.5-beta4
- version/apache poi/3.5-beta5
- version/apache poi/3.5-beta6
- version/apache poi/3.6
- version/apache poi/3.7
- version/apache poi/3.7-beta1
- version/apache poi/3.7-beta2
- version/apache poi/3.7-beta3
- version/apache poi/3.8
- version/apache poi/3.8-beta1
- version/apache poi/3.8-beta2
- version/apache poi/3.8-beta3
- version/apache poi/3.8-beta4
- version/apache poi/3.8-beta5
- version/apache poi/3.9
- version/apache poi/3.10-beta1
- version/apache poi/3.10-beta2
- package-manager/maven
- package-manager/redhat