CVE-2016-5000: Apache POI's XLSX2CSV Example XML External Entity (XXE) Vulnerability
5.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.52961%
CWE
Published
5/13/2022
Updated
9/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.poi:poi-examples | maven | <= 3.13 | 3.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in XML parsing logic within the XLSX2CSV
example. The primary vulnerable function is the sheet processing
method that initiates XML parsing without security features. The XSSFSheetXMLHandler
's element processing is implicated as it handles XML data from spreadsheets. Both locations would appear in stack traces when parsing malicious XLSX
files, with the example's processSheet
being the direct entry point for conversion logic.