Skip to main content

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE-2014-3574

Severity Medium
Score 4.3/10

Summary

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

  • MEDIUM
  • NETWORK
  • NONE
  • NONE
  • NONE
  • PARTIAL

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Advisory Timeline

  • Published