{"id":"MGASA-2014-0550","summary":"Updated apache-poi packages fix security vulnerabilities","details":"Updated apache-poi packages fix security vulnerabilities:\n\nIt was found that Apache POI would resolve entities in OOXML documents. A\nremote attacker able to supply OOXML documents that are parsed by Apache POI\ncould use this flaw to read files accessible to the user running the\napplication server, and potentially perform other more advanced XXE attacks\n(CVE-2014-3529).\n\nIt was found that Apache POI would expand an unlimited number of entities in\nOOXML documents. A remote attacker able to supply OOXML documents that are\nparsed by Apache POI could use this flaw to trigger a denial of service\nattack via excessive CPU and memory consumption (CVE-2014-3574).\n","modified":"2026-04-16T06:24:34.084489916Z","published":"2014-12-26T17:04:58Z","upstream":["CVE-2014-3529","CVE-2014-3574"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0550.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14128"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137802.html"}],"affected":[{"package":{"name":"apache-poi","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/apache-poi?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.10.1-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0550.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}