poi-ooxml-3.9.jar: 7 vulnerabilities (highest severity is: 9.1) reachable #25
Description
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (poi-ooxml version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000632 |  High |
7.5 | Not Defined | 1.6% | dom4j-1.6.1.jar | Transitive | 3.10.1 | ✅ |
|
| CVE-2025-31672 |  Medium |
6.5 | Not Defined | 0.3% | poi-ooxml-3.9.jar | Direct | 5.4.0 | ✅ |
|
| CVE-2019-12415 | Medium |
5.5 | Not Defined | 0.0% | poi-ooxml-3.9.jar | Direct | 4.1.1 | ✅ |
|
| CVE-2017-5644 | Medium |
5.5 | Not Defined | 0.70000005% | poi-ooxml-3.9.jar | Direct | 3.15-beta1 | ✅ |
|
| CVE-2014-3574 |  Low |
3.7 | Not Defined | 11.1% | poi-ooxml-3.9.jar | Direct | 3.10.1 | ✅ |
|
| CVE-2014-3529 | Low |
3.7 | Not Defined | 4.5% | poi-ooxml-3.9.jar | Direct | 3.10.1 | ✅ |
|
| CVE-2021-23926 |  Critical |
9.1 | Not Defined | 0.3% | xmlbeans-2.3.0.jar | Transitive | 3.10.1 | ✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-1000632
Vulnerable Library - dom4j-1.6.1.jar
dom4j: the flexible XML framework for Java
Library home page: http://sourceforge.net/projects/dom4j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy:
- poi-ooxml-3.9.jar (Root Library)
- ❌ dom4j-1.6.1.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.XXE (Application)
-> org.slf4j.LoggerFactory (Extension)
-> org.slf4j.impl.StaticLoggerBinder (Extension)
-> com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter$1 (Extension)
...
-> org.dom4j.io.XMLWriter (Extension)
-> org.dom4j.util.NonLazyElement (Extension)
-> ❌ org.dom4j.QName (Vulnerable Component)
Vulnerability Details
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.6%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632/
Release Date: 2018-08-20
Fix Resolution (dom4j:dom4j): 20040902.021138
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2025-31672
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.9.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.ooxmlXXE (Application)
-> org.apache.poi.xssf.usermodel.XSSFCell (Extension)
-> org.apache.poi.xssf.model.SharedStringsTable (Extension)
-> org.apache.poi.openxml4j.opc.OPCPackage (Extension)
-> ❌ org.apache.poi.openxml4j.opc.ZipPackage (Vulnerable Component)
Vulnerability Details
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx,
docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries
with duplicate names (including the path) in the zip. In this case, products reading the affected file could read
different data because 1 of the zip entries with the duplicate name is selected over another but different products may
choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip
entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue.
Publish Date: 2025-04-09
URL: CVE-2025-31672
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-07
Fix Resolution: 5.4.0
In order to enable automatic remediation, please create workflow rules
CVE-2019-12415
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.9.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.config.CustomCorsConfig (Application)
-> org.springframework.boot.autoconfigure.web.WebMvcRegistrationsAdapter (Extension)
-> org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver (Extension)
-> org.springframework.web.servlet.view.document.AbstractXlsxStreamingView (Extension)
-> org.apache.poi.xssf.streaming.SXSSFWorkbook (Extension)
-> ❌ org.apache.poi.xssf.streaming.SheetDataWriter (Vulnerable Component)
Vulnerability Details
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
In order to enable automatic remediation, please create workflow rules
CVE-2017-5644
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.9.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.ooxmlXXE (Application)
-> org.apache.poi.xssf.usermodel.XSSFSheet (Extension)
-> ❌ org.apache.poi.xssf.usermodel.XSSFFirstFooter (Vulnerable Component)
Vulnerability Details
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2017-03-24
URL: CVE-2017-5644
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5644
Release Date: 2017-03-24
Fix Resolution: 3.15-beta1
In order to enable automatic remediation, please create workflow rules
CVE-2014-3574
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.9.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.ooxmlXXE (Application)
-> org.apache.poi.xssf.usermodel.XSSFCell (Extension)
-> org.apache.poi.xssf.model.SharedStringsTable (Extension)
-> org.apache.poi.openxml4j.opc.OPCPackage (Extension)
-> ❌ org.apache.poi.openxml4j.opc.StreamHelper (Vulnerable Component)
Vulnerability Details
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Publish Date: 2014-09-04
URL: CVE-2014-3574
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 11.1%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3574
Release Date: 2014-09-04
Fix Resolution: 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2014-3529
Vulnerable Library - poi-ooxml-3.9.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar
Dependency Hierarchy:
- ❌ poi-ooxml-3.9.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.othervulns.ooxmlXXE (Application)
-> org.apache.poi.xssf.usermodel.XSSFSheet (Extension)
-> org.apache.poi.openxml4j.opc.OPCPackage (Extension)
-> ❌ org.apache.poi.openxml4j.opc.internal.unmarshallers.PackagePropertiesUnmarshaller (Vulnerable Component)
Vulnerability Details
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Publish Date: 2014-09-04
URL: CVE-2014-3529
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.5%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3529
Release Date: 2014-09-04
Fix Resolution: 3.10.1
In order to enable automatic remediation, please create workflow rules
CVE-2021-23926
Vulnerable Library - xmlbeans-2.3.0.jar
XmlBeans main jar
Library home page: http://xmlbeans.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlbeans/xmlbeans/2.3.0/xmlbeans-2.3.0.jar
Dependency Hierarchy:
- poi-ooxml-3.9.jar (Root Library)
- poi-ooxml-schemas-3.9.jar
- ❌ xmlbeans-2.3.0.jar (Vulnerable Library)
- poi-ooxml-schemas-3.9.jar
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
Publish Date: 2021-01-14
URL: CVE-2021-23926
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23926
Release Date: 2021-01-14
Fix Resolution (org.apache.xmlbeans:xmlbeans): 3.0.0
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 3.10.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules