Vulnerability Details : CVE-2014-3529
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2014-3529
- cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta5:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.10:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.8:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta5:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta6:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.7:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.10:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.10:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3529
4.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3529
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2014-3529
-
https://lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
Apache Solr - NewsVendor Advisory
-
http://secunia.com/advisories/59943
Sign in
-
http://secunia.com/advisories/60419
Sign in
-
http://rhn.redhat.com/errata/RHSA-2014-1370.html
RHSA-2014:1370 - Security Advisory - Red Hat Customer Portal
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/95770
Apache POI OPC SAX setup information disclosure CVE-2014-3529 Vulnerability Report
-
http://www.securityfocus.com/bid/78018
RETIRED: POI CVE-2014-3529 Remote Security Vulnerability
-
http://poi.apache.org/changes.html
History of Changes
-
http://rhn.redhat.com/errata/RHSA-2014-1398.html
RHSA-2014:1398 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/69647
Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2014-1399.html
RHSA-2014:1399 - Security Advisory - Red Hat Customer Portal
-
http://secunia.com/advisories/61766
Sign in
-
http://www.apache.org/dist/poi/release/RELEASE-NOTES.txt
-
http://rhn.redhat.com/errata/RHSA-2014-1400.html
RHSA-2014:1400 - Security Advisory - Red Hat Customer Portal
-
http://www-01.ibm.com/support/docview.wss?uid=swg21996759
IBM Security Bulletin: Vulnerabilities in Apache POI affects IBM InfoSphere Information Server
Jump to