CVE-2022-23640 — Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-str

描述

### Impact Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues. ### Patches Upgrade to version 2.1.0. ### Workarounds No known workaround. ### References https://github.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73 ### For more information If you have any questions or comments about this advisory: * Open an issue in [monitorjbl/excel-streaming-reader](https://github.com/monitorjbl/excel-streaming-reader)

如何修補 CVE-2022-23640

要修補 CVE-2022-23640,請將受影響套件升級到下列已修補版本。

—升級至 2.1.0 或更新版本

CVE-2022-23640 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 2.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23640
WEBgithub.com/monitorjbl/excel-streaming-reader
WEBgithub.com/monitorjbl/excel-streaming-reader/commit/0749c7b9709db078ccdeada16d46a34bc2910c73
WEBgithub.com/monitorjbl/excel-streaming-reader/security/advisories/GHSA-xvm2-9xvc-hx7f