Fortify Report on POI source code identifies the following vulnerability: Category: Privacy Violation (Security Features, Data Flow) Description: The method write() in XOREncryptionVerifier.java mishandles confidential information, which can compromise user privacy and is often illegal. @Override public void write(LittleEndianByteArrayOutputStream bos) { bos.write(getEncryptedKey()); bos.write(getEncryptedVerifier()); }
Reading/writing the encrypted key / verifier is in the spec, i.e. it's part of the file format. see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/06494548-8c5c-4697-bce1-e2a9fe1c4de4