Bug 65421 - Multiple CVEs found on poi-ooxml dependencies
Summary: Multiple CVEs found on poi-ooxml dependencies
Status: RESOLVED DUPLICATE of bug 65355
Alias: None
Product: POI
Classification: Unclassified
Component: XSLF (show other bugs)
Version: 5.0.0-FINAL
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-01 14:54 UTC by Tiago Neves
Modified: 2021-07-01 15:31 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tiago Neves 2021-07-01 14:54:15 UTC
Found some CVEs while scanning my app with OASP Dependency Check. I have a dependency on:

<dependency>
	<groupId>org.apache.poi</groupId>
	<artifactId>poi-ooxml</artifactId>
	<version>5.0.0</version>
</dependency>

Here are the CVEs:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11987
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27807
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27906
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31811
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31812
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11988

Most of these come from batik-all-1.13.jar and seem to have been fixed on 1.14.
Comment 1 PJ Fanning 2021-07-01 15:05:09 UTC
duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=65355

*** This bug has been marked as a duplicate of bug 65355 ***
Comment 2 PJ Fanning 2021-07-01 15:07:27 UTC
pdfbox was upgraded in main branch for https://bz.apache.org/bugzilla/show_bug.cgi?id=65405 -- this change will also be in the next POI release
Comment 3 Tiago Neves 2021-07-01 15:31:40 UTC
Sorry for the duplicate. I searched for the CVE codes but they aren't mentioned in the other bug. Now if someone searches for them they will find this bug. Good to see these will be fixed on next release!