ALT-PU-2016-3318-1 — apache-poi

CVE-2012-0213

MEDIUM5.0

The UnhandledDataStructure function in hwpf/model/UnhandledDataStructure.java in Apache POI 3.8 and earlier allows remote attackers to cause a denial of service (OutOfMemoryError exception and possibly JVM destabilization) via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.

Published: 2012-08-07Modified: 2026-04-29

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2014-3529

MEDIUM4.3

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published: 2014-09-04Modified: 2025-04-12

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N

References

CVE-2014-3574

MEDIUM4.3

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Published: 2014-09-04Modified: 2025-04-12

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P

References

CVE-2014-9527

MEDIUM5.0

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.

Published: 2015-01-06Modified: 2025-04-12

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

GHSA-5wfp-8643-c58x

NONE

Improper Input Validation in Apache POI

Published: 2022-05-17Modified: 2024-04-16

References

GHSA-jqx5-h2hw-5q4f

NONE

Denial of Service in Apache POI

Published: 2022-05-04Modified: 2024-03-05

References

GHSA-q56h-jjj6-52mf

NONE

Improper Restriction of XML External Entity Reference in Apache POI

Published: 2022-05-17Modified: 2024-04-16

References

GHSA-x9mm-6gpf-f749

NONE

Loop with Unreachable Exit Condition in Apache POI

Published: 2022-05-17Modified: 2022-07-06

References

Package update apache-poi in branch sisyphus

Closed issues (8)

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.

Improper Input Validation in Apache POI

Denial of Service in Apache POI

Improper Restriction of XML External Entity Reference in Apache POI

Loop with Unreachable Exit Condition in Apache POI