poi-3.9.jar: 5 vulnerabilities (highest severity is: 5.5) reachable #7
Description
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (poi version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2019-12415 |  Medium |
5.5 | Not Defined | 0.0% | poi-3.9.jar | Direct | 4.1.1 | ❌ |
|
| CVE-2017-5644 | Medium |
5.5 | Not Defined | 0.70000005% | poi-3.9.jar | Direct | org.apache.poi:poi-ooxml:3.15 | ❌ |
|
| CVE-2014-3574 |  Low |
3.7 | Not Defined | 11.1% | poi-3.9.jar | Direct | 3.10.1,3.11-beta2 | ❌ |
|
| CVE-2014-3529 | Low |
3.7 | Not Defined | 4.5% | poi-3.9.jar | Direct | 3.10.1 | ❌ |
|
| WS-2016-7061 | Medium |
4.8 | Not Defined | poi-3.9.jar | Direct | 3.16-beta1 | ❌ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-12415
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Dependency Hierarchy:
- ❌ poi-3.9.jar (Vulnerable Library)
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
net.pricing.common.parser.helper.POIExcelParser (Application)
-> org.apache.poi.hssf.usermodel.HSSFWorkbook (Extension)
-> org.apache.poi.hssf.record.RecordFactory (Extension)
-> ❌ org.apache.poi.hssf.record.VCenterRecord (Vulnerable Component)
Vulnerability Details
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
CVE-2017-5644
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Dependency Hierarchy:
- ❌ poi-3.9.jar (Vulnerable Library)
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
net.pricing.common.parser.helper.POIExcelParser (Application)
-> org.apache.poi.ss.usermodel.Sheet (Extension)
-> org.apache.poi.ss.usermodel.DataValidation (Extension)
-> org.apache.poi.ss.usermodel.DataValidationConstraint (Extension)
-> ❌ org.apache.poi.ss.usermodel.DataValidationConstraint$ValidationType (Vulnerable Component)
Vulnerability Details
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2017-03-24
URL: CVE-2017-5644
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5644
Release Date: 2017-03-24
Fix Resolution: org.apache.poi:poi-ooxml:3.15
CVE-2014-3574
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Dependency Hierarchy:
- ❌ poi-3.9.jar (Vulnerable Library)
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
net.pricing.common.parser.helper.POIExcelParser (Application)
-> org.apache.poi.hssf.usermodel.HSSFWorkbook (Extension)
-> org.apache.poi.hssf.model.InternalSheet (Extension)
-> ❌ org.apache.poi.hssf.record.DefaultRowHeightRecord (Vulnerable Component)
Vulnerability Details
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2014-09-04
URL: CVE-2014-3574
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 11.1%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
Release Date: 2014-09-04
Fix Resolution: 3.10.1,3.11-beta2
CVE-2014-3529
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Dependency Hierarchy:
- ❌ poi-3.9.jar (Vulnerable Library)
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
net.pricing.common.parser.helper.POIExcelParser (Application)
-> org.apache.poi.hssf.usermodel.HSSFWorkbook (Extension)
-> org.apache.poi.hpsf.PropertySet (Extension)
-> org.apache.poi.hpsf.Property (Extension)
-> org.apache.poi.hpsf.UnsupportedVariantTypeException (Extension)
-> ❌ org.apache.poi.hpsf.VariantTypeException (Vulnerable Component)
Vulnerability Details
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Publish Date: 2014-09-04
URL: CVE-2014-3529
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.5%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
Release Date: 2014-09-04
Fix Resolution: 3.10.1
WS-2016-7061
Vulnerable Library - poi-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to vulnerable library: /lib/poi-3.9-20121203.jar
Dependency Hierarchy:
- ❌ poi-3.9.jar (Vulnerable Library)
Found in HEAD commit: e08146876a4b9212298dcf2ba43b598cff0abe3b
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2016-10-14
Fix Resolution: 3.16-beta1