CVE-2022-23640: 
Java vulnerability analysis and mitigation

Excel-Streaming-Reader, an implementation of a streaming Excel reader using Apache POI, was found to contain a critical XML External Entity (XXE) vulnerability identified as CVE-2022-23640. The vulnerability was discovered in versions prior to 2.1.0, where the XML parser did not properly implement settings to prevent XML Entity Expansion issues (GitHub Advisory).

The vulnerability stems from the XML parser's default configuration that allowed entity expansion, which could be exploited through maliciously crafted Excel files. The issue was specifically related to the Xerxes XML parsing library used by Excel Streaming Reader, which defaulted to allowing entity expansion without proper restrictions (GitHub Commit).

An attacker could potentially exploit this vulnerability to read arbitrary data from the target system through XML External Entity (XXE) attacks. The vulnerability was classified as Critical severity, indicating its significant potential impact on system security (GitHub Advisory).

The vulnerability was patched in version 2.1.0 of Excel-Streaming-Reader. The fix includes throwing a ParsingException if a workbook contains an XML document with an entity declaration. Users are strongly advised to update to version 2.1.0 as soon as possible, as there are no known workarounds for this vulnerability (GitHub Commit).