CVE-2019-12415

moderate-risk
Published 2019-10-23

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (20)

Poi

Affected Vendors

Apache Oracle

References (26)

https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6dd...
https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e...
https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae...
https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3d...
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee...
Third Party Advisory https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory https://www.oracle.com/security-alerts/cpujan2020.html
Third Party Advisory https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6dd...
https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e...
https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae...
https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3d...
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee...
Third Party Advisory https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory https://www.oracle.com/security-alerts/cpuApr2021.html
and 6 more references
45
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 27/34 · High