CVE-2022-23640: Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.55524%
CWE
Published
3/2/2022
Updated
7/24/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.monitorjbl:xlsx-streamer | maven | < 2.1.0 | 2.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure default XML parser configurations. While the exact file/function names aren't visible in available resources, the commit message and advisory explicitly state the root cause was missing security settings in the XML parser. All versions <2.1.0 used Apache Xerces/Xerces2-j without properly setting features like FEATURE_SECURE_PROCESSING, DISALLOW_DOCTYPE_DECL, or LOAD_EXTERNAL_DTD. These settings are typically configured in XML parser initialization code, making parser setup functions the logical vulnerable component.