GHSA-9jwc-q6j3-8g9g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9jwc-q6j3-8g9g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9jwc-q6j3-8g9g/GHSA-9jwc-q6j3-8g9g.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9jwc-q6j3-8g9g
- Aliases
- Published
- 2022-05-24T16:59:46Z
- Modified
- 2023-11-01T04:50:20.045374Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Improper Restriction of XML External Entity Reference in Apache POI
- Details
-
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "nvd_published_at": "2019-10-23T20:15:00Z", "github_reviewed_at": "2022-06-28T14:11:47Z", "cwe_ids": [ "CWE-611" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-12415
- https://github.com/apache/poi
- https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Affected packages
Maven / org.apache.poi:poi
Package
- Name
- org.apache.poi:poi
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.poi/poi
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.1
Affected versions
3.*
3.0-FINAL
3.0.1-FINAL
3.0.2-beta1
3.0.2-beta2
3.0.2-FINAL
3.1-beta1
3.1-beta2
3.1-FINAL
3.2-FINAL
3.5-beta1
3.5-beta3
3.5-beta4
3.5-beta5
3.5-beta6
3.5-FINAL
3.6
3.7-beta1
3.7-beta2
3.7-beta3
3.7
3.8-beta1
3.8-beta2
3.8-beta3
3.8-beta4
3.8-beta5
3.8
3.9
3.10-beta1
3.10-beta2
3.10-FINAL
3.10.1
3.11-beta1
3.11-beta2
3.11-beta3
3.11
3.12-beta1
3.12
3.13-beta1
3.13
3.14-beta1
3.14
3.15-beta1
3.15-beta2
3.15
3.16-beta1
3.16-beta2
3.16
3.17-beta1
3.17
4.*
4.0.0
4.0.1
4.1.0