CVE-2019-12415

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

References

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.tika.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cuser.tika.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2020.html

https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2019-10-23

Updated: 2021-10-20

Type: CWE-611

Risk Information

CVSS v2

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:* versions up to 4.1.0 (inclusive)

Tenable Plugins

View all (8 total)

IDNameProductFamilySeverity
154418Oracle WebCenter Sites Multiple Vulnerabilities (Oct 2021 CPU)NessusWindows
critical
152033Oracle JDeveloper XXE (July 2021 CPU)NessusMisc.
critical
152026Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)NessusDatabases
high
138564Oracle WebCenter Portal Multiple Vulnerabilities (Jul 2020 CPU)NessusMisc.
high
138555Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)NessusMisc.
high
133359Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)NessusCGI abuses
critical
133260Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2020 CPU)NessusMisc.
critical
132936Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)NessusCGI abuses
critical