'[oss-security] CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI
From:       Dominik Stadler <centic () apache ! org>
Date:       2019-10-22 21:00:45
Message-ID: CABdJj56vHPvGo=nqZPYb1tPGVa_cSOwgBn6-TFj3FCE6KQXSEw () mail ! gmail ! com
[Download RAW message or body]

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache POI up to version 4.1.0

Description:
When using the tool XSSFExportToXml to convert user-provided Microsoft
Excel documents, a specially crafted document can allow an attacker to
read files from the local filesystem or from internal network resources
via XML External Entity (XXE) Processing.

Mitigation:
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml
are not affected. affected users are advised to update to Apache POI 4.1.1
which fixes this vulnerability.

Credit:
This issue was discovered by Artem Smotrakov from SAP

References:
https://en.wikipedia.org/wiki/XML_external_entity_attack

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic