[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
From: Dominik Stadler <centic () apache ! org>
Date: 2019-10-22 21:00:45
Message-ID: CABdJj56vHPvGo=nqZPYb1tPGVa_cSOwgBn6-TFj3FCE6KQXSEw () mail ! gmail ! com
[Download RAW message or body]
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache POI up to version 4.1.0
Description:
When using the tool XSSFExportToXml to convert user-provided Microsoft
Excel documents, a specially crafted document can allow an attacker to
read files from the local filesystem or from internal network resources
via XML External Entity (XXE) Processing.
Mitigation:
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
are not affected. affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.
Credit:
This issue was discovered by Artem Smotrakov from SAP
References:
https://en.wikipedia.org/wiki/XML_external_entity_attack
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic