dbunuit v2.5.3 has dependencies:
Update to v3.1.6 to address CVE-2017-5644... although v3.1.5 would also address the threat:
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Ticket moved from /p/dbunit/bugs/402/
Can't be converted:
When it comes to release notes, the fix to this issue used org.apache.poi: poi-ooxml v3.1.7.
As it happens, this has the happy outcome of also addresing a separate(newer) threat CVE-2017-12626 that was first published 01/29/2018.