svn commit: r1885440 - /poi/site/publish/index.html

Wed, 13 Jan 2021 09:41:46 -0800 

Author: fanningpj
Date: Wed Jan 13 17:41:42 2021
New Revision: 1885440

URL: http://svn.apache.org/viewvc?rev=1885440&view=rev
Log:
add cve news

Modified:
    poi/site/publish/index.html

Modified: poi/site/publish/index.html
URL: 
http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1885440&r1=1885439&r2=1885440&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Wed Jan 13 17:41:42 2021
@@ -179,6 +179,20 @@ document.write("Last Published: " + docu
 <a name="Project+News"></a>
 <h2 class="boxed">Project News</h2>
 <div class="section">
+<a 
name="13+January+2020+-+CVE-2021-23926+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+XMLBeans+versions+prior+to+3.0.0"></a>
+<h3 class="boxed">13 January 2020 - CVE-2021-23926 - XML External Entity (XXE) 
Processing in Apache XMLBeans versions prior to 3.0.0</h3>
+<p>Description:<br>
+          When parsing XML files using XMLBeans 2.6.0 or below, the underlying 
parser
+          created by XMLBeans could be susceptible to XML External Entity 
(XXE) attacks.</p>
+<p>This issue was fixed a few years ago but on review, we decided we should 
have a CVE
+          to raise awareness of the issue.</p>
+<p>Mitigation:<br>
+          Affected users are advised to update to Apache XMLBeans 3.0.0 or 
above
+          which fixes this vulnerability. XMLBeans 4.0.0 or above is 
preferable.</p>
+<p>References:
+          <a 
href="https://en.wikipedia.org/wiki/XML_external_entity_attack";>XML external 
entity attack</a>
+        
+</p>
 <a name="18+October+2020+-+XMLBeans+4.0.0+available"></a>
 <h3 class="boxed">18 October 2020 - XMLBeans 4.0.0 available</h3>
 <p>The Apache POI team is pleased to announce the release of XMLBeans 4.0.0.
@@ -210,7 +224,7 @@ document.write("Last Published: " + docu
           via XML External Entity (XXE) Processing.</p>
 <p>Mitigation:<br>
           Apache POI 4.1.0 and before: users who do not use the tool 
XSSFExportToXml
-          are not affected. affected users are advised to update to Apache POI 
4.1.1
+          are not affected. Affected users are advised to update to Apache POI 
4.1.1
           which fixes this vulnerability.</p>
 <p>Credit:
           This issue was discovered by Artem Smotrakov from SAP</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@poi.apache.org
For additional commands, e-mail: commits-h...@poi.apache.org

Reply via email to