CVE-2016-5000 : The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read a

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published 2016-08-05 14:59:10

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2016-5000

Apache » POI
Versions up to, including, (<=) 3.13
cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-5000

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-5000

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.5	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2016-5000

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-5000

https://www.oracle.com/security-alerts/cpuoct2020.html

Oracle Critical Patch Update Advisory - October 2020

CVEs referencing this url
http://www.securityfocus.com/archive/1/538981/100/0/threaded

SecurityFocus
https://lists.apache.org/list.html?user%40poi.apache.org

dev@user%40poi.apache.org, past month - Apache Mail Archives
http://www.securityfocus.com/bid/92100

Apache POI CVE-2016-5000 XML External Entity Injection Vulnerability
https://lists.apache.org/list.html?user@poi.apache.org

user@poi.apache.org - Pony Mail!
Mailing List
http://www.securitytracker.com/id/1037741

IBM InfoSphere Information Server XML External Entity Processing Flaw in Apache POI Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker
http://www-01.ibm.com/support/docview.wss?uid=swg21996759

IBM Security Bulletin: Vulnerabilities in Apache POI affects IBM InfoSphere Information Server

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-5000

Products affected by CVE-2016-5000

Exploit prediction scoring system (EPSS) score for CVE-2016-5000

CVSS scores for CVE-2016-5000

CWE ids for CVE-2016-5000

References for CVE-2016-5000