Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.

SAP BusinessObjects BIP (October 2025)

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2025 CPU advisory.

  - Vulnerability in the SQLcl (jgit) component of Oracle Database Server. Supported versions that are     affected are 23.4-23.9. Difficult to exploit vulnerability allows low privileged attacker having Valid     account privilege with network access via HTTP to compromise SQLcl (jgit). Successful attacks require     human interaction from a person other than the attacker. Successful attacks of this vulnerability can     result in unauthorized access to critical data or complete access to all SQLcl (jgit) accessible data.
    (CVE-2025-4949)

  - Vulnerability in the RDBMS (Python) component of Oracle Database Server. Supported versions that are     affected are 21.3-21.19 and 23.4-23.9. Easily exploitable vulnerability allows low privileged attacker     having Authenticated User privilege with logon to the infrastructure where RDBMS (Python) executes to     compromise RDBMS (Python). Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in takeover of RDBMS (Python).
    (CVE-2024-12254, CVE-2024-12718, CVE-2024-6923, CVE-2024-8088, CVE-2025-1795, CVE-2025-4138,     CVE-2025-4330, CVE-2025-4435, CVE-2025-4517)

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are     19.3-19.28, 21.3-21.19 and 23.4-23.9. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can     result in unauthorized creation, deletion or modification access to critical data or all Java VM     accessible data. (CVE-2025-61881)

  - Vulnerability in the Portable Clusterware component of Oracle Database Server. Supported versions that are     affected are 19.3-19.28, 21.3-21.19 and 23.4-23.9. Easily exploitable vulnerability allows unauthenticated     attacker with network access via Bonjour to compromise Portable Clusterware. While the vulnerability is in     Portable Clusterware, attacks may significantly impact additional products (scope change). Successful     attacks of this vulnerability can result in unauthorized read access to a subset of Portable Clusterware     accessible data. (CVE-2025-53047)

  - Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are     affected are 23.4-23.9. Easily exploitable vulnerability allows high privileged attacker having DBA     privilege with network access via Oracle Net to compromise Unified Audit. Successful attacks of this     vulnerability can result in unauthorized update, insert or delete access to some of Unified Audit     accessible data. (CVE-2025-61749)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, as referenced in the April 2025 CPU advisory:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware     (component: Oracle Business Rules (Apache POI)). Supported versions that are affected are 12.2.1.4.0 and     14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Business Process Management     Suite accessible data. (CVE-2025-31672)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files     like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious     users to add zip entries with duplicate names (including the path) in the zip. In this case, products     reading the affected file could read different data because 1 of the zip entries with the duplicate name     is selected over another but different products may choose a different zip entry. This issue affects     Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries     with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-     ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations     about how to use the POI libraries securely. (CVE-2025-31672)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of Apache POI installed on the remote host is a version prior to 5.4.0. It is, therefore, affected by an improper input validation vulnerability. The issue affects the parsing of OOXML format files like xlsx, docx, and pptx. These file formats are essentially zip files, and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In such cases, products reading the affected file could read different data because one of the zip entries with the duplicate name is selected over another, but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. Version 5.4.0 introduces a check that throws an exception if zip entries with duplicate file names are found in the input file.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
271256	Oracle Database Server (October 2025 CPU)	Nessus	Databases	high
242326	Oracle Business Process Management Suite (July 2025 CPU)	Nessus	Misc.	medium
234194	Linux Distros Unpatched Vulnerability : CVE-2025-31672	Nessus	Misc.	medium
234190	Apache POI < 5.4.0 Improper Input Validation	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-31672

medium

Tenable Plugins

Coming Soon

high

medium

medium

medium