CVE-2017-5644
MEDIUMApache Poi < 3.14 - XML Entity Expansion
Title source: ruleDescription
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
References (3)
Scores
CVSS v3
5.5
EPSS
0.0066
EPSS Percentile
70.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Classification
CWE
CWE-776
Status
published
Affected Products (3)
apache/poi
< 3.14
org.apache.poi/poi
< 3.15Maven
Apache Software Foundation/Apache POI
< before 3.15
Timeline
Published
Mar 24, 2017
Tracked Since
Feb 18, 2026