gsd-2014-3529
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-3529",
"description": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GSD-2014-3529",
"references": [
"https://access.redhat.com/errata/RHSA-2015:1009",
"https://access.redhat.com/errata/RHSA-2014:1400",
"https://access.redhat.com/errata/RHSA-2014:1399",
"https://access.redhat.com/errata/RHSA-2014:1398",
"https://access.redhat.com/errata/RHSA-2014:1370",
"https://advisories.mageia.org/CVE-2014-3529.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-3529"
],
"details": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"id": "GSD-2014-3529",
"modified": "2023-12-13T01:22:52.870119Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759",
"refsource": "CONFIRM",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
},
{
"name": "http://poi.apache.org/changes.html",
"refsource": "CONFIRM",
"url": "http://poi.apache.org/changes.html"
},
{
"name": "78018",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/78018"
},
{
"name": "61766",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61766"
},
{
"name": "https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations",
"refsource": "CONFIRM",
"url": "https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations"
},
{
"name": "apache-poi-cve20143529-info-disc(95770)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95770"
},
{
"name": "RHSA-2014:1370",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1370.html"
},
{
"name": "http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt",
"refsource": "CONFIRM",
"url": "http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt"
},
{
"name": "60419",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/60419"
},
{
"name": "RHSA-2014:1400",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1400.html"
},
{
"name": "69647",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/69647"
},
{
"name": "RHSA-2014:1398",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1398.html"
},
{
"name": "59943",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59943"
},
{
"name": "RHSA-2014:1399",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1399.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,3.10-FINAL],[3.11-alpha0,3.11-beta1]",
"affected_versions": "All versions up to 3.10-final, all versions starting from 3.11-alpha0 up to 3.11-beta1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2017-08-28",
"description": "The OPC SAX setup in this package allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"fixed_versions": [
"3.10.1",
"3.11-beta2"
],
"identifier": "CVE-2014-3529",
"identifiers": [
"CVE-2014-3529"
],
"not_impacted": "All versions after 3.11-beta1",
"package_slug": "maven/org.apache.poi/poi-ooxml",
"pubdate": "2014-09-04",
"solution": "Upgrade to versions 3.10.1, 3.11-beta2 or above.",
"title": "Entity expansion (billion laughs) flaw",
"urls": [
"https://bugzilla.redhat.com/CVE-2014-3529",
"https://issues.apache.org/bugzilla/show_bug.cgi?id=56164"
],
"uuid": "b01fdfc5-5b0d-451d-ad5c-831a70ae364b"
},
{
"affected_range": "(,3.10.1)",
"affected_versions": "All versions before 3.10.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-07-07",
"description": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.",
"fixed_versions": [
"3.10.1"
],
"identifier": "CVE-2014-3529",
"identifiers": [
"GHSA-q56h-jjj6-52mf",
"CVE-2014-3529"
],
"not_impacted": "All versions starting from 3.10.1",
"package_slug": "maven/org.apache.poi/poi",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 3.10.1 or above.",
"title": "Improper Restriction of XML External Entity Reference in Apache POI",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2014-3529",
"https://exchange.xforce.ibmcloud.com/vulnerabilities/95770",
"https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations",
"http://poi.apache.org/changes.html",
"http://rhn.redhat.com/errata/RHSA-2014-1370.html",
"http://rhn.redhat.com/errata/RHSA-2014-1398.html",
"http://rhn.redhat.com/errata/RHSA-2014-1399.html",
"http://rhn.redhat.com/errata/RHSA-2014-1400.html",
"http://www-01.ibm.com/support/docview.wss?uid=swg21996759",
"http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt",
"https://github.com/advisories/GHSA-q56h-jjj6-52mf"
],
"uuid": "b26c7b3b-0f5f-46e6-95b2-e99bc2cec77b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.10:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.7:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.7:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0.2:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.12.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.1:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.1:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0:alpha2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:pre1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.10",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.10:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0.2:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.8:dev:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.7:dev:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.14.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.13.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:beta5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.8:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.7:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:3.0:alpha3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:pre3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:2.0:pre2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:1.10:dev:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:poi:0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3529"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://poi.apache.org/changes.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://poi.apache.org/changes.html"
},
{
"name": "https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations"
},
{
"name": "60419",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/60419"
},
{
"name": "http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt"
},
{
"name": "69647",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/69647"
},
{
"name": "RHSA-2014:1398",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1398.html"
},
{
"name": "RHSA-2014:1399",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1399.html"
},
{
"name": "RHSA-2014:1400",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1400.html"
},
{
"name": "RHSA-2014:1370",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1370.html"
},
{
"name": "59943",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/59943"
},
{
"name": "61766",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/61766"
},
{
"name": "78018",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/78018"
},
{
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
},
{
"name": "apache-poi-cve20143529-info-disc(95770)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95770"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-29T01:34Z",
"publishedDate": "2014-09-04T17:55Z"
}
}
}
Loading...