In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CVE-2019-12415 - Medium Severity Vulnerability
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /ry/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
Dependency Hierarchy: - :x: **poi-ooxml-3.17.jar** (Vulnerable Library)
Found in HEAD commit: f7c1755c9ca9fc041d98d7ecaf19f42af97d3b85
Found in base branch: main
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Publish Date: 2019-10-23
URL: CVE-2019-12415
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
Release Date: 2019-10-23
Fix Resolution: 4.1.1
Step up your Open Source Security Game with Mend here