68691 – CVE-2024-26308

Bug 68691 - CVE-2024-26308

Summary: CVE-2024-26308

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	XSSF (show other bugs)
Version:	5.2.3-FINAL
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-02-29 15:56 UTC by Jorge Mascarell
Modified:	2024-02-29 18:56 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jorge Mascarell 2024-02-29 15:56:17 UTC

Current version 5.2.5 provides transitive vulnerable dependency org.apache.commons:commons-compress:1.25.0.

This vulnerability has been fixed in org.apache.commons:commons-compress:1.26.0
https://mvnrepository.com/artifact/org.apache.commons/commons-compress

Therefore, the dependency should be updated to new version to avoid the vulnerability.

Comment 1 Jorge Mascarell 2024-02-29 16:06:05 UTC

The vulnerability fixed in commons-compress:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26308

Comment 2 Axel Howind 2024-02-29 17:34:50 UTC

trunk has already been updated to use commons-compress 1.26.0, so this will be in the next release. Users of the current version of POI can override the version used in their Maven or Gradle build files.

Comment 3 PJ Fanning 2024-02-29 18:56:51 UTC

POI doesn't even use the pack200 code. POI tests run fine with the latest commons-compress jar.

We are not going to expedite a POI release. Feel free to update your build to use a newer commons-compress jar.

If you have a POC that demos that POI 5.2.5 is actually affected, please provide it privately using the security guidelines. https://poi.apache.org/security.html