Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-12415

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Published

2019-10-23T20:15:12.707

Last Modified

2024-11-21T04:22:47.553

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	poi	≤ 4.1.0	Yes
Application	oracle	application_testing_suite	12.5.0.3	Yes
Application	oracle	application_testing_suite	13.1.0.1	Yes
Application	oracle	application_testing_suite	13.2.0.1	Yes
Application	oracle	application_testing_suite	13.3.0.1	Yes
Application	oracle	banking_enterprise_originations	2.7.0	Yes
Application	oracle	banking_enterprise_originations	2.8.0	Yes
Application	oracle	banking_enterprise_product_manufacturing	2.7.0	Yes
Application	oracle	banking_enterprise_product_manufacturing	2.8.0	Yes
Application	oracle	banking_payments	14.0.0	Yes
Application	oracle	banking_payments	14.1.0	Yes
Application	oracle	banking_platform	2.4.0	Yes
Application	oracle	banking_platform	2.4.1	Yes
Application	oracle	banking_platform	2.5.0	Yes
Application	oracle	banking_platform	2.6.0	Yes
Application	oracle	banking_platform	2.6.1	Yes
Application	oracle	banking_platform	2.6.2	Yes
Application	oracle	banking_platform	2.7.0	Yes
Application	oracle	banking_platform	2.7.1	Yes
Application	oracle	banking_platform	2.9.0	Yes
Application	oracle	big_data_discovery	1.6	Yes
Application	oracle	communications_diameter_signaling_router_idih\		Yes
Application	oracle	communications_diameter_signaling_router_idih\		Yes
Application	oracle	endeca_information_discovery_studio	3.2.0	Yes
Application	oracle	enterprise_manager_base_platform	12.1.0.5	Yes
Application	oracle	enterprise_manager_base_platform	13.3.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.4.0.0	Yes
Application	oracle	enterprise_repository	12.1.3.0.0	Yes
Application	oracle	financial_services_analytical_applications_infrastructure	≤ 8.0.9	Yes
Application	oracle	financial_services_market_risk_measurement_and_management	8.0.6	Yes
Application	oracle	financial_services_market_risk_measurement_and_management	8.0.8	Yes
Application	oracle	flexcube_private_banking	12.0.0	Yes
Application	oracle	flexcube_private_banking	12.1.0	Yes
Application	oracle	hyperion_infrastructure_technology	11.1.2.4	Yes
Application	oracle	instantis_enterprisetrack	17.1	Yes
Application	oracle	instantis_enterprisetrack	17.2	Yes
Application	oracle	instantis_enterprisetrack	17.3	Yes
Application	oracle	insurance_policy_administration_j2ee	11.0.2	Yes
Application	oracle	insurance_policy_administration_j2ee	11.1.0	Yes
Application	oracle	insurance_policy_administration_j2ee	11.2.0	Yes
Application	oracle	insurance_rules_palette	10.2.0	Yes
Application	oracle	insurance_rules_palette	10.2.4	Yes
Application	oracle	insurance_rules_palette	11.0.2	Yes
Application	oracle	insurance_rules_palette	11.1.0	Yes
Application	oracle	insurance_rules_palette	11.2.0	Yes
Application	oracle	jdeveloper	12.2.1.4.0	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	primavera_gateway	17.12.6	Yes
Application	oracle	primavera_gateway	18.8.8.1	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	16.1	Yes
Application	oracle	primavera_unifier	16.2	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	retail_clearance_optimization_engine	14.0	Yes
Application	oracle	retail_order_broker	15.0	Yes
Application	oracle	retail_order_broker	16.0	Yes
Application	oracle	retail_predictive_application_server	15.0.3	Yes
Application	oracle	retail_predictive_application_server	16.0.3	Yes
Application	oracle	webcenter_portal	12.2.1.3.0	Yes
Application	oracle	webcenter_portal	12.2.1.4.0	Yes
Application	oracle	webcenter_sites	12.2.1.3.0	Yes
Application	oracle	webcenter_sites	12.2.1.4.0	Yes

References

https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)