Vulnerability in Apache Poi

CVE-2014-3574

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

EPSS: 0.126 (94.1th percentile) — read the EPSS interpretation.

Affected products

Apache Poi — versions 0.1, 0.2, 0.3
N/a — versions n/a

References

secalert@redhat.com (x_refsource_CONFIRM)
69648 (vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_CONFIRM)
61766 (x_refsource_SECUNIA, third-party-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
RHSA-2014:1370 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
60419 (x_refsource_SECUNIA, third-party-advisory)
apache-poi-cve20143574-dos(95768) (vdb-entry, x_refsource_XF)
RHSA-2014:1400 (x_refsource_REDHAT, vendor-advisory)