You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by fa...@apache.org on 2021/01/13 17:41:42 UTC
svn commit: r1885440 - /poi/site/publish/index.html
Author: fanningpj
Date: Wed Jan 13 17:41:42 2021
New Revision: 1885440
URL: http://svn.apache.org/viewvc?rev=1885440&view=rev
Log:
add cve news
Modified:
poi/site/publish/index.html
Modified: poi/site/publish/index.html
URL: http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1885440&r1=1885439&r2=1885440&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Wed Jan 13 17:41:42 2021
@@ -179,6 +179,20 @@ document.write("Last Published: " + docu
<a name="Project+News"></a>
<h2 class="boxed">Project News</h2>
<div class="section">
+<a name="13+January+2020+-+CVE-2021-23926+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+XMLBeans+versions+prior+to+3.0.0"></a>
+<h3 class="boxed">13 January 2020 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0</h3>
+<p>Description:<br>
+ When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser
+ created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.</p>
+<p>This issue was fixed a few years ago but on review, we decided we should have a CVE
+ to raise awareness of the issue.</p>
+<p>Mitigation:<br>
+ Affected users are advised to update to Apache XMLBeans 3.0.0 or above
+ which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.</p>
+<p>References:
+ <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a>
+
+</p>
<a name="18+October+2020+-+XMLBeans+4.0.0+available"></a>
<h3 class="boxed">18 October 2020 - XMLBeans 4.0.0 available</h3>
<p>The Apache POI team is pleased to announce the release of XMLBeans 4.0.0.
@@ -210,7 +224,7 @@ document.write("Last Published: " + docu
via XML External Entity (XXE) Processing.</p>
<p>Mitigation:<br>
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
- are not affected. affected users are advised to update to Apache POI 4.1.1
+ are not affected. Affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.</p>
<p>Credit:
This issue was discovered by Artem Smotrakov from SAP</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org