9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23640

GHSA ID

GHSA-xvm2-9xvc-hx7f

EPSS Score

0.55524%

CWE

CWE-611

Published

3/2/2022

Updated

7/24/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23640

CVE-2022-23640: Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer

Impact

Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.

Patches

Upgrade to version 2.1.0.

Workarounds

No known workaround.

References

https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73

For more information

If you have any questions or comments about this advisory:

Open an issue in monitorjbl/excel-streaming-reader

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23640

GHSA ID

GHSA-xvm2-9xvc-hx7f

EPSS Score

0.55524%

CWE

CWE-611

Published

3/2/2022

Updated

7/24/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.monitorjbl:xlsx-streamer	maven	< 2.1.0	2.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure default XML parser configurations. While the exact file/function names aren't visible in available resources, the commit message and advisory explicitly state the root cause was missing security settings in the XML parser. All versions <2.1.0 used Apache Xerces/Xerces2-j without properly setting features like FEATURE_SECURE_PROCESSING, DISALLOW_DOCTYPE_DECL, or LOAD_EXTERNAL_DTD. These settings are typically configured in XML parser initialization code, making parser setup functions the logical vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prior to xlsx-str**m*r *.*.*, t** XML p*rs*r t**t w*s us** *i* not *pply *ll t** n***ss*ry s*ttin*s to pr*v*nt XML *ntity *xp*nsion issu*s. ### P*t***s Up*r*** to v*rsion *.*.*. ### Work*roun*s No known work*roun*. ### R***r*n**s *ttps:

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* ****ult XML p*rs*r *on*i*ur*tions. W*il* t** *x**t *il*/*un*tion n*m*s *r*n't visi*l* in *v*il**l* r*sour**s, t** *ommit m*ss*** *n* **visory *xpli*itly st*t* t** root **us* w*s missin* s**urity s*ttin*s in t** X

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-23640: Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer

Impact

Patches

Workarounds

References

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI