Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14dm0yLTl4dmMtaHg3Zs0vuA
Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer
Impact
Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.
Patches
Upgrade to version 2.1.0.
Workarounds
No known workaround.
References
https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
For more information
If you have any questions or comments about this advisory:
- Open an issue in monitorjbl/excel-streaming-reader
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14dm0yLTl4dmMtaHg3Zs0vuA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-xvm2-9xvc-hx7f, CVE-2022-23640
References:
- https://github.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f
- https://nvd.nist.gov/vuln/detail/CVE-2022-23640
- https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
- https://github.com/advisories/GHSA-xvm2-9xvc-hx7f
Blast Radius: 24.4
Affected Packages
maven:com.monitorjbl:xlsx-streamer
Dependent packages: 37Dependent repositories: 307
Downloads:
Affected Version Ranges: < 2.1.0
Fixed in: 2.1.0
All affected versions: 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 2.0.0
All unaffected versions: 2.1.0, 2.2.0