CVE-2016-5000: Improper Restriction of XML External Entity Reference

May 13, 2022 (updated September 26, 2023)

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References

www-01.ibm.com/support/docview.wss?uid=swg21996759
github.com/advisories/GHSA-pmqq-7wfv-jfff
lists.apache.org/list.html?user@poi.apache.org
nvd.nist.gov/vuln/detail/CVE-2016-5000
www.oracle.com/security-alerts/cpuoct2020.html

Code Behaviors & Features

Detect and mitigate CVE-2016-5000 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →