CVE-2019-12415

EPSS 0.02%
Published 23.10.2019 20:15:12
Last modified 21.11.2024 04:22:47
Source security@apache.org
Teams watchlist Login
Open Login

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Affected products Warnungen 0 Metrics 3 CWE 1 References 16

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Poi Version <= 4.1.0

Oracle ≫ Application Testing Suite Version12.5.0.3

Oracle ≫ Application Testing Suite Version13.1.0.1

Oracle ≫ Application Testing Suite Version13.2.0.1

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Banking Enterprise Originations Version2.7.0

Oracle ≫ Banking Enterprise Originations Version2.8.0

Oracle ≫ Banking Enterprise Product Manufacturing Version2.7.0

Oracle ≫ Banking Enterprise Product Manufacturing Version2.8.0

Oracle ≫ Banking Payments Version14.0.0

Oracle ≫ Banking Payments Version14.1.0

Oracle ≫ Banking Platform Version2.4.0

Oracle ≫ Banking Platform Version2.4.1

Oracle ≫ Banking Platform Version2.5.0

Oracle ≫ Banking Platform Version2.6.0

Oracle ≫ Banking Platform Version2.6.1

Oracle ≫ Banking Platform Version2.6.2

Oracle ≫ Banking Platform Version2.7.0

Oracle ≫ Banking Platform Version2.7.1

Oracle ≫ Banking Platform Version2.9.0

Oracle ≫ Big Data Discovery Version1.6

Oracle ≫ Communications Diameter Signaling Router Idih: Version8.0.0

Oracle ≫ Communications Diameter Signaling Router Idih: Version8.2.2

Oracle ≫ Endeca Information Discovery Studio Version3.2.0

Oracle ≫ Enterprise Manager Base Platform Version12.1.0.5

Oracle ≫ Enterprise Manager Base Platform Version13.3.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.4.0.0

Oracle ≫ Enterprise Repository Version12.1.3.0.0

Oracle ≫ Financial Services Analytical Applications Infrastructure Version >= 8.0.6 <= 8.0.9

Oracle ≫ Financial Services Market Risk Measurement And Management Version8.0.6

Oracle ≫ Financial Services Market Risk Measurement And Management Version8.0.8

Oracle ≫ Flexcube Private Banking Version12.0.0

Oracle ≫ Flexcube Private Banking Version12.1.0

Oracle ≫ Hyperion Infrastructure Technology Version11.1.2.4

Oracle ≫ Instantis Enterprisetrack Version17.1

Oracle ≫ Instantis Enterprisetrack Version17.2

Oracle ≫ Instantis Enterprisetrack Version17.3

Oracle ≫ Insurance Policy Administration J2ee Version11.0.2

Oracle ≫ Insurance Policy Administration J2ee Version11.1.0

Oracle ≫ Insurance Policy Administration J2ee Version11.2.0

Oracle ≫ Insurance Rules Palette Version10.2.0

Oracle ≫ Insurance Rules Palette Version10.2.4

Oracle ≫ Insurance Rules Palette Version11.0.2

Oracle ≫ Insurance Rules Palette Version11.1.0

Oracle ≫ Insurance Rules Palette Version11.2.0

Oracle ≫ Jdeveloper Version12.2.1.4.0

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Oracle ≫ Primavera Gateway Version17.12.6

Oracle ≫ Primavera Gateway Version18.8.8.1

Oracle ≫ Primavera Unifier Version >= 17.7 <= 17.12

Oracle ≫ Primavera Unifier Version16.1

Oracle ≫ Primavera Unifier Version16.2

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Primavera Unifier Version19.12

Oracle ≫ Retail Clearance Optimization Engine Version14.0

Oracle ≫ Retail Order Broker Version15.0

Oracle ≫ Retail Order Broker Version16.0

Oracle ≫ Retail Predictive Application Server Version15.0.3

Oracle ≫ Retail Predictive Application Server Version16.0.3

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Oracle ≫ Webcenter Sites Version12.2.1.3.0

Oracle ≫ Webcenter Sites Version12.2.1.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.034

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html