If you read the CVE, POI 3.15 and earlier are vulnerable to hand-crafted XML attacks. See Billion Laughs [1]. These won't exist in an XML file by accident--they're deliberately added by someone with malicious intent or someone copying the XML contents of an untrustworthy file without checking the contents.
The consequence is a denial of service, either by exhausting available memory (which will thrash the JVM's garbage collector until the JVM figures out that there isn't enough memory that can be gc'd to allocate the requested memory), or a denial of service by pegging the CPU doing work that grows exponentially, whichever DoS vector occurs first. [1] Billion Laughs example https://en.wikipedia.org/wiki/Billion_laughs#Code_example On May 3, 2017 06:38, "Andreas Beeker" <kiwiwi...@apache.org> wrote: > > We specifically use POI ONLY for extracting data from Microsoft Excel > sheets ... > Do you trust and know the people/programs generating those Excel sheets? > Yes -> no need to upgrade > No -> upgrade! > > > PS: Sorry for the double posting ... it was in the wrong list .... > > >
