XMLBeans requires Java 6 or newer since version 3.0.2. The XMLBeans JIRA project has been reopened and feel free to open issues. People interested should also follow the POI dev list to track progress. The Apache POI project has unretired the XMLBeans codebase and is maintaining it as a sub-project,ĭue to its importance in the poi-ooxml codebase. The Apache POI team is pleased to announce the release of XMLBeans 3.1.0.
XML external entity attack 26 March 2019 - XMLBeans 3.1.0 available This issue was discovered by Artem Smotrakov from SAP
Java 1.7.0_21 update#
Affected users are advised to update to Apache POI 4.1.1 Via XML External Entity (XXE) Processing.Īpache POI 4.1.0 and before: users who do not use the tool XSSFExportToXmlĪre not affected. Read files from the local filesystem or from internal network resources When using the tool XSSFExportToXml to convert user-provided MicrosoftĮxcel documents, a specially crafted document can allow an attacker to XML external entity attack 20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1 This issue was fixed a few years ago but on review, we decided we should have a CVEĪffected users are advised to update to Apache XMLBeans 3.0.0 or above When parsing XML files using XMLBeans 2.6.0 or below, the underlying parserĬreated by XMLBeans could be susceptible to XML External Entity (XXE) attacks. 13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0 POI requires Java 8 or newer since version 4.0.1. People interested should also follow the dev list to track progress.
Several dependencies were updated to their latest versions to pick up security fixes and other improvements.Ī full list of changes is available in the change log.
The Apache POI team is pleased to announce the release of 5.1.0.