GHSA-xvm2-9xvc-hx7f

Source

https://github.com/advisories/GHSA-xvm2-9xvc-hx7f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xvm2-9xvc-hx7f/GHSA-xvm2-9xvc-hx7f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xvm2-9xvc-hx7f

Aliases

CVE-2022-23640

Published

2022-03-02T21:30:54Z

Modified

2024-02-16T08:13:13.361722Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer

Details

Impact

Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues.

Patches

Upgrade to version 2.1.0.

Workarounds

No known workaround.

References

https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73

For more information

If you have any questions or comments about this advisory: * Open an issue in monitorjbl/excel-streaming-reader

Database specific

{
    "nvd_published_at": "2022-03-02T20:15:00Z",
    "cwe_ids": [
        "CWE-611",
        "CWE-776"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-02T21:30:54Z"
}

References

Affected packages

Maven / com.monitorjbl:xlsx-streamer

Package

Name: com.monitorjbl:xlsx-streamer; View open source insights on deps.dev
Purl: pkg:maven/com.monitorjbl/xlsx-streamer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Affected versions

0.*

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.2.0

1.2.1

2.*

2.0.0