Apache POI - the Java API for Microsoft Documents
The Apache POI team is pleased to announce the release of 5.0.0. This release features full JPMS support, updated ECMA-376 OOXML schemas, various rendering fixes in the Common SL/EMF modules. Several dependencies were also updated to their latest versions to pick up security fixes and other improvements.
A summary of changes is available in the Release Notes. A full list of changes is available in the change log. People interested should also follow the dev list to track progress.
Description: When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.
This issue was fixed a few years ago but on review, we decided we should have a CVE to raise awareness of the issue.
Mitigation: Affected users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.
