poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 63899] New: xxe vulnerability
Date Fri, 01 Nov 2019 18:21:26 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

            Bug ID: 63899
           Summary: xxe vulnerability
           Product: POI
           Version: 4.1.0-FINAL
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: XSSF
          Assignee: dev@poi.apache.org
          Reporter: callsanpan@gmail.com
  Target Milestone: ---

Created attachment 36868
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36868&action=edit
pw: test123

Apache POI's latest version 4.1.1 is still vulnerable to XXE vulnerability
while uploading the XLSX file.
An XXE attack can be made by adding Doc Type declaration in the
sharedStrings.xml file. Current implements block vulnerability if it is
injected in all other XML files but doesn't when added in sharedStrings.xml
file.
Please do the needful.
The vulnerable file is attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org


Mime
View raw message