CVE-2014-3529
Summary
| CVE | CVE-2014-3529 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-09-04 17:55:00 UTC |
| Updated | 2017-08-29 01:34:00 UTC |
| Description | The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Poi | 0.1 | All | All | All |
| Application | Apache | Poi | 0.10.0 | All | All | All |
| Application | Apache | Poi | 0.11.0 | All | All | All |
| Application | Apache | Poi | 0.12.0 | All | All | All |
| Application | Apache | Poi | 0.13.0 | All | All | All |
| Application | Apache | Poi | 0.14.0 | All | All | All |
| Application | Apache | Poi | 0.2 | All | All | All |
| Application | Apache | Poi | 0.3 | All | All | All |
| Application | Apache | Poi | 0.4 | All | All | All |
| Application | Apache | Poi | 0.5 | All | All | All |
| Application | Apache | Poi | 0.6 | All | All | All |
| Application | Apache | Poi | 0.7 | All | All | All |
| Application | Apache | Poi | 1.0.0 | All | All | All |
| Application | Apache | Poi | 1.0.1 | All | All | All |
| Application | Apache | Poi | 1.0.2 | All | All | All |
| Application | Apache | Poi | 1.1.0 | All | All | All |
| Application | Apache | Poi | 1.10 | dev | All | All |
| Application | Apache | Poi | 1.2.0 | All | All | All |
| Application | Apache | Poi | 1.5 | All | All | All |
| Application | Apache | Poi | 1.5.1 | All | All | All |
| Application | Apache | Poi | 1.7 | dev | All | All |
| Application | Apache | Poi | 1.8 | dev | All | All |
| Application | Apache | Poi | 2.0 | All | All | All |
| Application | Apache | Poi | 2.0 | pre1 | All | All |
| Application | Apache | Poi | 2.0 | pre2 | All | All |
| Application | Apache | Poi | 2.0 | pre3 | All | All |
| Application | Apache | Poi | 2.0 | rc1 | All | All |
| Application | Apache | Poi | 2.0 | rc2 | All | All |
| Application | Apache | Poi | 2.5 | All | All | All |
| Application | Apache | Poi | 2.5.1 | All | All | All |
| Application | Apache | Poi | 3.0 | All | All | All |
| Application | Apache | Poi | 3.0 | alpha1 | All | All |
| Application | Apache | Poi | 3.0 | alpha2 | All | All |
| Application | Apache | Poi | 3.0 | alpha3 | All | All |
| Application | Apache | Poi | 3.0.1 | All | All | All |
| Application | Apache | Poi | 3.0.2 | All | All | All |
| Application | Apache | Poi | 3.0.2 | beta1 | All | All |
| Application | Apache | Poi | 3.0.2 | beta2 | All | All |
| Application | Apache | Poi | 3.1 | All | All | All |
| Application | Apache | Poi | 3.1 | beta1 | All | All |
| Application | Apache | Poi | 3.1 | beta2 | All | All |
| Application | Apache | Poi | 3.10 | beta1 | All | All |
| Application | Apache | Poi | 3.10 | beta2 | All | All |
| Application | Apache | Poi | 3.2 | All | All | All |
| Application | Apache | Poi | 3.5 | All | All | All |
| Application | Apache | Poi | 3.5 | beta1 | All | All |
| Application | Apache | Poi | 3.5 | beta2 | All | All |
| Application | Apache | Poi | 3.5 | beta3 | All | All |
| Application | Apache | Poi | 3.5 | beta4 | All | All |
| Application | Apache | Poi | 3.5 | beta5 | All | All |
| Application | Apache | Poi | 3.5 | beta6 | All | All |
| Application | Apache | Poi | 3.6 | All | All | All |
| Application | Apache | Poi | 3.7 | All | All | All |
| Application | Apache | Poi | 3.7 | beta1 | All | All |
| Application | Apache | Poi | 3.7 | beta2 | All | All |
| Application | Apache | Poi | 3.7 | beta3 | All | All |
| Application | Apache | Poi | 3.8 | All | All | All |
| Application | Apache | Poi | 3.8 | beta1 | All | All |
| Application | Apache | Poi | 3.8 | beta2 | All | All |
| Application | Apache | Poi | 3.8 | beta3 | All | All |
| Application | Apache | Poi | 3.8 | beta4 | All | All |
| Application | Apache | Poi | 3.8 | beta5 | All | All |
| Application | Apache | Poi | 3.9 | All | All | All |
| Application | Apache | Poi | 0.1 | All | All | All |
| Application | Apache | Poi | 0.10.0 | All | All | All |
| Application | Apache | Poi | 0.11.0 | All | All | All |
| Application | Apache | Poi | 0.12.0 | All | All | All |
| Application | Apache | Poi | 0.13.0 | All | All | All |
| Application | Apache | Poi | 0.14.0 | All | All | All |
| Application | Apache | Poi | 0.2 | All | All | All |
| Application | Apache | Poi | 0.3 | All | All | All |
| Application | Apache | Poi | 0.4 | All | All | All |
| Application | Apache | Poi | 0.5 | All | All | All |
| Application | Apache | Poi | 0.6 | All | All | All |
| Application | Apache | Poi | 0.7 | All | All | All |
| Application | Apache | Poi | 1.0.0 | All | All | All |
| Application | Apache | Poi | 1.0.1 | All | All | All |
| Application | Apache | Poi | 1.0.2 | All | All | All |
| Application | Apache | Poi | 1.1.0 | All | All | All |
| Application | Apache | Poi | 1.10 | dev | All | All |
| Application | Apache | Poi | 1.2.0 | All | All | All |
| Application | Apache | Poi | 1.5 | All | All | All |
| Application | Apache | Poi | 1.5.1 | All | All | All |
| Application | Apache | Poi | 1.7 | dev | All | All |
| Application | Apache | Poi | 1.8 | dev | All | All |
| Application | Apache | Poi | 2.0 | All | All | All |
| Application | Apache | Poi | 2.0 | pre1 | All | All |
| Application | Apache | Poi | 2.0 | pre2 | All | All |
| Application | Apache | Poi | 2.0 | pre3 | All | All |
| Application | Apache | Poi | 2.0 | rc1 | All | All |
| Application | Apache | Poi | 2.0 | rc2 | All | All |
| Application | Apache | Poi | 2.5 | All | All | All |
| Application | Apache | Poi | 2.5.1 | All | All | All |
| Application | Apache | Poi | 3.0 | All | All | All |
| Application | Apache | Poi | 3.0 | alpha1 | All | All |
| Application | Apache | Poi | 3.0 | alpha2 | All | All |
| Application | Apache | Poi | 3.0 | alpha3 | All | All |
| Application | Apache | Poi | 3.0.1 | All | All | All |
| Application | Apache | Poi | 3.0.2 | All | All | All |
| Application | Apache | Poi | 3.0.2 | beta1 | All | All |
| Application | Apache | Poi | 3.0.2 | beta2 | All | All |
| Application | Apache | Poi | 3.1 | All | All | All |
| Application | Apache | Poi | 3.1 | beta1 | All | All |
| Application | Apache | Poi | 3.1 | beta2 | All | All |
| Application | Apache | Poi | 3.10 | beta1 | All | All |
| Application | Apache | Poi | 3.10 | beta2 | All | All |
| Application | Apache | Poi | 3.2 | All | All | All |
| Application | Apache | Poi | 3.5 | All | All | All |
| Application | Apache | Poi | 3.5 | beta1 | All | All |
| Application | Apache | Poi | 3.5 | beta2 | All | All |
| Application | Apache | Poi | 3.5 | beta3 | All | All |
| Application | Apache | Poi | 3.5 | beta4 | All | All |
| Application | Apache | Poi | 3.5 | beta5 | All | All |
| Application | Apache | Poi | 3.5 | beta6 | All | All |
| Application | Apache | Poi | 3.6 | All | All | All |
| Application | Apache | Poi | 3.7 | All | All | All |
| Application | Apache | Poi | 3.7 | beta1 | All | All |
| Application | Apache | Poi | 3.7 | beta2 | All | All |
| Application | Apache | Poi | 3.7 | beta3 | All | All |
| Application | Apache | Poi | 3.8 | All | All | All |
| Application | Apache | Poi | 3.8 | beta1 | All | All |
| Application | Apache | Poi | 3.8 | beta2 | All | All |
| Application | Apache | Poi | 3.8 | beta3 | All | All |
| Application | Apache | Poi | 3.8 | beta4 | All | All |
| Application | Apache | Poi | 3.8 | beta5 | All | All |
| Application | Apache | Poi | 3.9 | All | All | All |
| Application | Apache | Poi | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Apache Solr - News | CONFIRM | lucene.apache.org | Vendor Advisory |
| RETIRED: POI CVE-2014-3529 Remote Security Vulnerability | BID | www.securityfocus.com | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| www.apache.org/dist/poi/release/RELEASE-NOTES.txt | CONFIRM | www.apache.org | |
| Security Advisory SA59943 - Red Hat update for Red Hat JBoss BRMS - Secunia | SECUNIA | secunia.com | |
| History of Changes | CONFIRM | poi.apache.org | |
| Security Advisory SA61766 - Red Hat update for Red Hat JBoss Data Virtualization - Secunia | SECUNIA | secunia.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Apache POI OpenXML parser CVE-2014-3529 XML External Entity Information Disclosure Vulnerability | BID | www.securityfocus.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Security Bulletin: Vulnerabilities in Apache POI affects IBM InfoSphere Information Server | CONFIRM | www-01.ibm.com | |
| Security Advisory SA60419 - Apache POI Two XML Entity Expansion Denial of Service Vulnerabilities - Secunia | SECUNIA | secunia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.