Vulnerability Details : CVE-2014-3529
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injection
Exploit prediction scoring system (EPSS) score for CVE-2014-3529
Probability of exploitation activity in the next 30 days: 0.16%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 51 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-3529
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2014-3529
-
https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
Apache Solr - NewsVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1370.html
RHSA-2014:1370 - Security Advisory - Red Hat Customer Portal
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95770
Apache POI OPC SAX setup information disclosure CVE-2014-3529 Vulnerability Report
-
http://www.securityfocus.com/bid/78018
RETIRED: POI CVE-2014-3529 Remote Security Vulnerability
-
http://poi.apache.org/changes.html
History of Changes
-
http://rhn.redhat.com/errata/RHSA-2014-1398.html
RHSA-2014:1398 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/69647
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2014-1399.html
RHSA-2014:1399 - Security Advisory - Red Hat Customer Portal
- http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
-
http://rhn.redhat.com/errata/RHSA-2014-1400.html
RHSA-2014:1400 - Security Advisory - Red Hat Customer Portal
-
http://www-01.ibm.com/support/docview.wss?uid=swg21996759
IBM Security Bulletin: Vulnerabilities in Apache POI affects IBM InfoSphere Information Server
Products affected by CVE-2014-3529
- cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta5:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.10:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.8:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta5:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta6:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.7:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.10:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.10:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:*:*:*:*:*:*:*