https://bz.apache.org/bugzilla/show_bug.cgi?id=63664
Bug ID: 63664
Summary: Veracode security issue-Improper Restriction of XML
External Entity Reference CWE ID 611 in
OOXMLPrettyPrint
Product: POI
Version: 4.0.x-dev
Hardware: PC
Status: NEW
Severity: major
Priority: P2
Component: SXSSF
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
The product processes an XML document that can contain XML entities with URLs
that resolve to documents outside of the intended sphere of control, causing
the product to embed incorrect documents into its output. By default, the XML
entity resolver will attempt to resolve and retrieve external references. If
attacker-controlled XML can be submitted to one of these functions, then the
attacker could gain access to information about an internal network, local
filesystem, or other sensitive data. This is known as an XML eXternal Entity
(XXE) attack.
Recommendations
Configure the XML parser to disable external entity resolution.
Flaw Id: 7
Module: poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 108
Flaw Id: 8
Module: poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 135
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
