[Bug 63899] New: xxe vulnerability

bugzilla Fri, 01 Nov 2019 11:22:02 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=63899


            Bug ID: 63899
           Summary: xxe vulnerability
           Product: POI
           Version: 4.1.0-FINAL
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: XSSF
          Assignee: dev@poi.apache.org
          Reporter: callsan...@gmail.com
  Target Milestone: ---

Created attachment 36868
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36868&action=edit
pw: test123

Apache POI's latest version 4.1.1 is still vulnerable to XXE vulnerability
while uploading the XLSX file.
An XXE attack can be made by adding Doc Type declaration in the
sharedStrings.xml file. Current implements block vulnerability if it is
injected in all other XML files but doesn't when added in sharedStrings.xml
file.
Please do the needful.
The vulnerable file is attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

[Bug 63899] New: xxe vulnerability

Reply via email to