Vulnerability Description
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Poi | <= 4.1.0 |
| Oracle | Application Testing Suite | 12.5.0.3 |
| Oracle | Banking Enterprise Originations | 2.7.0 |
| Oracle | Banking Enterprise Product Manufacturing | 2.7.0 |
| Oracle | Banking Payments | 14.0.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Big Data Discovery | 1.6 |
| Oracle | Communications Diameter Signaling Router Idih\ | |
| Oracle | Endeca Information Discovery Studio | 3.2.0 |
| Oracle | Enterprise Manager Base Platform | 12.1.0.5 |
| Oracle | Enterprise Repository | 12.1.3.0.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.0.9 |
| Oracle | Financial Services Market Risk Measurement And Management | 8.0.6 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Hyperion Infrastructure Technology | 11.1.2.4 |
| Oracle | Instantis Enterprisetrack | 17.1 |
| Oracle | Insurance Policy Administration J2Ee | 11.0.2 |
| Oracle | Insurance Rules Palette | 10.2.0 |
| Oracle | Jdeveloper | 12.2.1.4.0 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6dd
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae
- https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3d
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6dd
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e
FAQ
What is CVE-2019-12415?
CVE-2019-12415 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local files...
How severe is CVE-2019-12415?
CVE-2019-12415 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12415?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Poi, Oracle Application Testing Suite, Oracle Banking Enterprise Originations, Oracle Banking Enterprise Product Manufacturing, Oracle Banking Payments.