5.5
CVSSv3

CVE-2019-12415

CVSSv4: NA | CVSSv3: 5.5 | CVSSv2: 2.1 | VMScore: 650 | EPSS: 0.00102 | KEV: Not Included
Published: 23/10/2019 Updated: 21/11/2024

Vulnerability Summary

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an malicious user to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache poi

oracle application testing suite 12.5.0.3

oracle application testing suite 13.1.0.1

oracle application testing suite 13.2.0.1

oracle application testing suite 13.3.0.1

oracle banking enterprise originations 2.7.0

oracle banking enterprise originations 2.8.0

oracle banking enterprise product manufacturing 2.7.0

oracle banking enterprise product manufacturing 2.8.0

oracle banking payments 14.0.0

oracle banking payments 14.1.0

oracle banking platform 2.4.0

oracle banking platform 2.4.1

oracle banking platform 2.5.0

oracle banking platform 2.6.0

oracle banking platform 2.6.1

oracle banking platform 2.6.2

oracle banking platform 2.7.0

oracle banking platform 2.7.1

oracle banking platform 2.9.0

oracle big data discovery 1.6

oracle communications diameter signaling router idih

oracle endeca information discovery studio 3.2.0

oracle enterprise manager base platform 12.1.0.5

oracle enterprise manager base platform 13.3.0.0

oracle enterprise manager base platform 13.4.0.0

oracle enterprise repository 12.1.3.0.0

oracle financial services analytical applications infrastructure

oracle financial services market risk measurement and management 8.0.6

oracle financial services market risk measurement and management 8.0.8

oracle flexcube private banking 12.0.0

oracle flexcube private banking 12.1.0

oracle hyperion infrastructure technology 11.1.2.4

oracle instantis enterprisetrack 17.1

oracle instantis enterprisetrack 17.2

oracle instantis enterprisetrack 17.3

oracle insurance policy administration j2ee 11.0.2

oracle insurance policy administration j2ee 11.1.0

oracle insurance policy administration j2ee 11.2.0

oracle insurance rules palette 10.2.0

oracle insurance rules palette 10.2.4

oracle insurance rules palette 11.0.2

oracle insurance rules palette 11.1.0

oracle insurance rules palette 11.2.0

oracle jdeveloper 12.2.1.4.0

oracle peoplesoft enterprise peopletools 8.57

oracle peoplesoft enterprise peopletools 8.58

oracle peoplesoft enterprise peopletools 8.59

oracle primavera gateway 17.12.6

oracle primavera gateway 18.8.8.1

oracle primavera unifier

oracle primavera unifier 16.1

oracle primavera unifier 16.2

oracle primavera unifier 18.8

oracle primavera unifier 19.12

oracle retail clearance optimization engine 14.0

oracle retail order broker 15.0

oracle retail order broker 16.0

oracle retail predictive application server 15.0.3

oracle retail predictive application server 16.0.3

oracle webcenter portal 12.2.1.3.0

oracle webcenter portal 12.2.1.4.0

oracle webcenter sites 12.2.1.3.0

oracle webcenter sites 12.2.1.4.0

Vendor Advisories

Debian Bug report logs - #943565 libapache-poi-java: CVE-2019-12415 Package: src:libapache-poi-java; Maintainer for src:libapache-poi-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 26 Oct 2019 15:06:02 UTC Severity: impo ...

References

CWE-611https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943565https://nvd.nist.govhttps://www.first.org/epsshttps://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html