poi-3.10-FINAL.jar: 5 vulnerabilities (highest severity is: 5.5) reachable #24
Description
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (poi version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2017-5644 |  Medium |
5.5 | Not Defined | 1.0% | poi-3.10-FINAL.jar | Direct | org.apache.poi:poi-ooxml:3.15 | ✅ |
|
| WS-2016-7061 | Medium |
4.8 | Not Defined | poi-3.10-FINAL.jar | Direct | 3.16-beta1 | ✅ |
|
|
| CVE-2014-3574 |  Low |
3.7 | Not Defined | 11.1% | poi-3.10-FINAL.jar | Direct | 3.10.1,3.11-beta2 | ✅ |
|
| CVE-2014-3529 | Low |
3.7 | Not Defined | 4.5% | poi-3.10-FINAL.jar | Direct | 3.10.1 | ✅ |
|
| CVE-2019-12415 | Medium |
5.5 | Not Defined | 0.4% | poi-3.10-FINAL.jar | Direct | 4.1.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-5644
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Dependency Hierarchy:
- ❌ poi-3.10-FINAL.jar (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.config.CustomCorsConfig (Application)
-> org.springframework.boot.autoconfigure.web.WebMvcRegistrationsAdapter (Extension)
-> org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver (Extension)
-> org.springframework.web.servlet.view.document.AbstractExcelView (Extension)
...
-> org.apache.poi.hssf.record.NameRecord (Extension)
-> org.apache.poi.hssf.record.cont.ContinuableRecordOutput (Extension)
-> ❌ org.apache.poi.hssf.record.cont.ContinuableRecordOutput$1 (Vulnerable Component)
Vulnerability Details
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2017-03-24
URL: CVE-2017-5644
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5644
Release Date: 2017-03-24
Fix Resolution: org.apache.poi:poi-ooxml:3.15
⛑️ Automatic Remediation will be attempted for this issue.
WS-2016-7061
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Dependency Hierarchy:
- ❌ poi-3.10-FINAL.jar (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.config.CustomCorsConfig (Application)
-> org.springframework.boot.autoconfigure.web.WebMvcRegistrationsAdapter (Extension)
-> org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver (Extension)
-> org.springframework.web.servlet.view.document.AbstractExcelView (Extension)
-> org.apache.poi.hssf.usermodel.HSSFWorkbook (Extension)
-> ❌ org.apache.poi.poifs.filesystem.Ole10Native (Vulnerable Component)
Vulnerability Details
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2016-10-14
Fix Resolution: 3.16-beta1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-3574
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Dependency Hierarchy:
- ❌ poi-3.10-FINAL.jar (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.xlsxStreamerXXE (Application)
-> com.monitorjbl.xlsx.StreamingReader (Extension)
-> com.monitorjbl.xlsx.StreamingReader$Builder (Extension)
-> org.apache.poi.poifs.filesystem.POIFSFileSystem (Extension)
...
-> org.apache.poi.poifs.filesystem.NPOIFSDocument (Extension)
-> org.apache.poi.poifs.filesystem.NPOIFSStream (Extension)
-> ❌ org.apache.poi.poifs.filesystem.NPOIFSStream$StreamBlockByteBufferIterator (Vulnerable Component)
Vulnerability Details
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2014-09-04
URL: CVE-2014-3574
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 11.1%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
Release Date: 2014-09-04
Fix Resolution: 3.10.1,3.11-beta2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2014-3529
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Dependency Hierarchy:
- ❌ poi-3.10-FINAL.jar (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.ooxmlXXE (Application)
-> org.apache.poi.xssf.usermodel.XSSFCell (Extension)
-> org.apache.poi.ss.formula.FormulaRenderingWorkbook (Extension)
-> org.apache.poi.ss.formula.WorkbookEvaluator (Extension)
...
-> org.apache.poi.ss.formula.functions.Sumx2my2 (Extension)
-> org.apache.poi.ss.formula.functions.XYNumericFunction (Extension)
-> ❌ org.apache.poi.ss.formula.functions.XYNumericFunction$ValueArray (Vulnerable Component)
Vulnerability Details
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Publish Date: 2014-09-04
URL: CVE-2014-3529
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.5%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
Release Date: 2014-09-04
Fix Resolution: 3.10.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-12415
Vulnerable Library - poi-3.10-FINAL.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar
Dependency Hierarchy:
- ❌ poi-3.10-FINAL.jar (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Vulnerability Details
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.