CVE-2017-5644 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Affected Products (NVD)

Vendor	Product	Version
apache	poi	𝑥 ≤ 3.14

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libapache-poi-java

bookworm	4.0.1-4 fixed
bullseye	4.0.1-1 fixed
jessie	no-dsa
sid	4.0.1-6 fixed
stretch	no-dsa
trixie	4.0.1-6 fixed
wheezy	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

libapache-poi-java

artful	ignored
bionic	not-affected
cosmic	not-affected
disco	not-affected
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
precise	ignored
trusty	dne
xenial	needed
yakkety	ignored
zesty	ignored

Common Weakness Enumeration

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

References

http://poi.apache.org/#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15

http://www.securityfocus.com/bid/96983

https://www.oracle.com/security-alerts/cpuoct2020.html

http://poi.apache.org/#20+March+2017+-+CVE-2017-5644+-+Possible+DOS+%28Denial+of+Service%29+in+Apache+POI+versions+prior+to+3.15

http://www.securityfocus.com/bid/96983

https://www.oracle.com/security-alerts/cpuoct2020.html