Miggo Logo

CVE-2016-5000: Apache POI's XLSX2CSV Example XML External Entity (XXE) Vulnerability

5.5

CVSS Score
3.0

Basic Information

EPSS Score
0.52961%
Published
5/13/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.poi:poi-examplesmaven<= 3.133.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in XML parsing logic within the XLSX2CSV example. The primary vulnerable function is the sheet processing method that initiates XML parsing without security features. The XSSFSheetXMLHandler's element processing is implicated as it handles XML data from spreadsheets. Both locations would appear in stack traces when parsing malicious XLSX files, with the example's processSheet being the direct entry point for conversion logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** XLSX**SV *x*mpl* in *p**** POI ***or* *.** *llows r*mot* *tt**k*rs to r*** *r*itr*ry *il*s vi* * *r**t** Op*nXML *o*um*nt *ont*inin* *n *xt*rn*l *ntity ***l*r*tion in *onjun*tion wit* *n *ntity r***r*n**, r*l*t** to *n XML *xt*rn*l *ntity (XX*) i

Reasoning

T** vuln*r**ility m*ni**sts in XML p*rsin* lo*i* wit*in t** `XLSX**SV` *x*mpl*. T** prim*ry vuln*r**l* *un*tion is t** `s***t pro**ssin*` m*t*o* t**t initi*t*s XML p*rsin* wit*out s**urity ***tur*s. T** `XSS*S***tXML**n*l*r`'s *l*m*nt pro**ssin* is i