Apache POI Improper Input Validation Vulnerability in OOXML File Parsing

A vulnerability allowing improper input validation has been identified in Apache POI versions prior to 5.4.0. This issue affects the parsing of OOXML format files, such as xlsx, docx, and pptx, which are essentially zip files. Malicious users can exploit this vulnerability by adding zip entries with duplicate names, including the path, into the zip file. When an application processes the affected file, it may read different data depending on which zip entry is selected, leading to inconsistent data interpretation across different products.

Impact

Exploitation of this vulnerability could result in the incorrect parsing of OOXML files, allowing for the unintentional disclosure of sensitive information, unauthorized modification of data, or a denial-of-service condition.

Remediation

Users are advised to upgrade to Apache POI version 5.4.0 or later, which includes a validation check that throws an exception if duplicate zip entry names are detected. For guidance on using Apache POI securely, refer to the Apache POI security recommendations.