The Apache POI team is pleased to announce the release of XMLBeans 3.1.0. XML external entity attack 26 March 2019 - XMLBeans 3.1.0 available This issue was discovered by Artem Smotrakov from SAP
#MICROSOFT OFFICE LOGO 2021 UPDATE#
Affected users are advised to update to Apache POI 4.1.1 Via XML External Entity (XXE) Processing.Īpache POI 4.1.0 and before: users who do not use the tool XSSFExportToXmlĪre not affected.
Read files from the local filesystem or from internal network resources When using the tool XSSFExportToXml to convert user-provided MicrosoftĮxcel documents, a specially crafted document can allow an attacker to XML external entity attack 20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1
This issue was fixed a few years ago but on review, we decided we should have a CVEĪffected users are advised to update to Apache XMLBeans 3.0.0 or above When parsing XML files using XMLBeans 2.6.0 or below, the underlying parserĬreated by XMLBeans could be susceptible to XML External Entity (XXE) attacks. 13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0 Version (currently v2.20.0) - including log4j-api.
#MICROSOFT OFFICE LOGO 2021 UPGRADE#
We strongly recommend that they upgrade all their log4j dependencies to the latest If any POI or XMLBeans user uses log4j-core to control their logging of their application, The security vulnerabilities are not in log4j-api - they are in log4j-core. POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1. The Apache POI PMC has evaluated the security vulnerabilities reported It is recommended that you use the same versions of all POI jars.
.svg/1200px-Microsoft_Office_logo_(2019–present).svg.png "microsoft office logo 2021"){kind=logo}
If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.Īffected users are advised to update to poi-scratchpad 5.2.1 or above This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). 4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0Ī shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. POI requires Java 8 or newer since version 4.0.1. People interested should also follow the dev list to track progress. Several dependencies were updated to their latest versions to pick up security fixes and other improvements.Ī full list of changes is available in the change log. The Apache POI team is pleased to announce the release of 5.2.3.
0 kommentar(er)
