CVE-2016-5000

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2016-5000
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21996759
http://www.securityfocus.com/archive/1/538981/100/0/threaded
http://www.securityfocus.com/bid/92100
http://www.securitytracker.com/id/1037741
https://lists.apache.org/list.html?user%40poi.apache.org
https://www.oracle.com/security-alerts/cpuoct2020.html
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*
History

07 Nov 2023, 02:32

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/list.html?user@poi.apache.org', 'name': "[users] 20160722 [CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example", 'tags': ['Mailing List'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/list.html?user%40poi.apache.orgĀ -
Information

Published : 2016-08-05 14:59

Updated : 2023-12-10 11:46

NVD link : CVE-2016-5000

Mitre link : CVE-2016-5000

CVE.ORG link : CVE-2016-5000

JSON object : View

Products Affected

apache

  • poi
CWE
CWE-611

Improper Restriction of XML External Entity Reference