The scope of this CVE affected version is [,4.1.0)
After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SheetDataWriter: void writeCell(int,org.apache.poi.ss.usermodel.Cell)>
<org.apache.poi.xssf.streaming.SheetDataWriter: void writeCell(int,org.apache.poi.ss.usermodel.Cell)>
at <org.apache.poi.xssf.streaming.SheetDataWriter: void writeRow(int,org.apache.poi.xssf.streaming.SXSSFRow)> (org.apache.poi.xssf.streaming.SheetDataWriter.java:[207]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: void flushOneRow()> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[1876]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: void flushRows(int)> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[1851]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <org.apache.poi.xssf.streaming.SXSSFSheet: org.apache.poi.xssf.streaming.SXSSFRow createRow(int)> (org.apache.poi.xssf.streaming.SXSSFSheet.java:[146]) in /.m2/repository/org/apache/poi/poi-ooxml/4.0.1/poi-ooxml-4.0.1.jar
at <com.github.andyczy.java.excel.CommonsUtils: void setDataList(org.apache.poi.xssf.streaming.SXSSFWorkbook,org.apache.poi.xssf.streaming.SXSSFRow,java.util.List,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.util.HashMap,java.lang.String[],java.lang.String[],java.util.HashMap,java.util.HashMap,java.util.HashMap)> (com.github.andyczy.java.excel.CommonsUtils.java:[70, 104]) in /.m2/repository/com/github/andyczy/java-excel-utils/4.0/java-excel-utils-4.0.jar
at <com.github.andyczy.java.excel.LocalExcelUtils: java.lang.Boolean localNoResponse()> (com.github.andyczy.java.excel.LocalExcelUtils.java:[118]) in /.m2/repository/com/github/andyczy/java-excel-utils/4.0/java-excel-utils-4.0.jar
at <excelUtils.ExcelUtilsTest: void main(java.lang.String[])> (excelUtils.ExcelUtilsTest.java:[59]) in /detect/unzip/czy-study-java-commons-utils-master/java-8/target/classes
Hi, In czy-study-java-commons-utils-master/java-8,there is a dependency org.apache.poi:poi-ooxml:4.0.1 that calls the risk method.
CVE-2019-12415
The scope of this CVE affected version is [,4.1.0)
After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SheetDataWriter: void writeCell(int,org.apache.poi.ss.usermodel.Cell)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.