Bug 65421

Summary: Multiple CVEs found on poi-ooxml dependencies
Product: POI Reporter: Tiago Neves <tiagofoneves>
Component: XSLFAssignee: POI Developers List <dev>
Status: RESOLVED DUPLICATE    
Severity: normal CC: tiagofoneves
Priority: P2    
Version: 5.0.0-FINAL   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Tiago Neves 2021-07-01 14:54:15 UTC 
Found some CVEs while scanning my app with OASP Dependency Check. I have a dependency on:

<dependency>
	<groupId>org.apache.poi</groupId>
	<artifactId>poi-ooxml</artifactId>
	<version>5.0.0</version>
</dependency>

Here are the CVEs:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11987
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27807
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27906
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31811
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31812
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11988

Most of these come from batik-all-1.13.jar and seem to have been fixed on 1.14.
Comment 1 PJ Fanning 2021-07-01 15:05:09 UTC 
duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=65355

*** This bug has been marked as a duplicate of bug 65355 ***
Comment 2 PJ Fanning 2021-07-01 15:07:27 UTC 
pdfbox was upgraded in main branch for https://bz.apache.org/bugzilla/show_bug.cgi?id=65405 -- this change will also be in the next POI release
Comment 3 Tiago Neves 2021-07-01 15:31:40 UTC 
Sorry for the duplicate. I searched for the CVE codes but they aren't mentioned in the other bug. Now if someone searches for them they will find this bug. Good to see these will be fixed on next release!