Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE-2017-5644

Medium

5.5/10

Summary

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

Issue

Advisory Timeline

Published Mar 24, 2017

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CVE-2017-5644

Summary

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS