Miggo Logo
Miggo Vulnerability Database
CVE-2014-3574

CVE-2014-3574: Improper Input Validation in Apache POI

4.3

CVSS Score

Basic Information

CVE ID
CVE-2014-3574
GHSA ID
GHSA-5wfp-8643-c58x
EPSS Score
0.93126%
CWE
CWE-20
Published
5/17/2022
Updated
4/16/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.poi:poimaven< 3.10.13.10.1
org.apache.poi:poimaven= 3.11-beta13.11-beta2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2014-3574) stems from improper XML parsing configuration in Apache POI's OOXML handling. Key evidence includes:

  1. The vulnerability specifically affects OOXML file processing
  2. Fix commits (r1615720/r1615731) show changes to XML parser configuration
  3. Red Hat advisories explicitly mention 'XML Entity Expansion (XEE)' in OOXML contexts
  4. DocumentHelper.java is POI's central XML parser factory, and historical vulnerabilities (CVE-2014-3529) were fixed here
  5. Package properties parsing is a common attack surface for OOXML metadata-based exploits These functions lacked critical security settings like FEATURE_SECURE_PROCESSING and entity expansion limits, enabling the XEE attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** POI ***or* *.**.* *n* *.**.x ***or* *.**-**t** *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*PU *onsumption *n* *r*s*) vi* * *r**t** OOXML *il*, *k* *n XML *ntity *xp*nsion (X**) *tt**k.

Reasoning

T** vuln*r**ility (*V*-****-****) st*ms *rom improp*r XML p*rsin* *on*i*ur*tion in *p**** POI's OOXML **n*lin*. K*y *vi**n** in*lu**s: *. T** vuln*r**ility sp**i*i**lly *****ts OOXML *il* pro**ssin* *. *ix *ommits (r*******/r*******) s*ow ***n**s to