CVE-2019-12415: XSS
First published: Wed Oct 23 2019(Updated: )
Apache POI could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by tool XSSFExportToXml. By sending a specially-crafted document, a remote attacker could exploit this vulnerability to obtain sensitive information.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/poi | <4.1.0 | 4.1.0 |
| Apache POI | <=4.1.0 | |
| Oracle Application Testing Suite | =12.5.0.3 | |
| Oracle Application Testing Suite | =13.1.0.1 | |
| Oracle Application Testing Suite | =13.2.0.1 | |
| Oracle Application Testing Suite | =13.3.0.1 | |
| Oracle Banking Enterprise Originations | =2.7.0 | |
| Oracle Banking Enterprise Originations | =2.8.0 | |
| Oracle Banking Enterprise Product Manufacturing | =2.7.0 | |
| Oracle Banking Enterprise Product Manufacturing | =2.8.0 | |
| Oracle Banking Payments | =14.0.0 | |
| Oracle Banking Payments | =14.1.0 | |
| Oracle Banking Platform | =2.4.0 | |
| Oracle Banking Platform | =2.4.1 | |
| Oracle Banking Platform | =2.5.0 | |
| Oracle Banking Platform | =2.6.0 | |
| Oracle Banking Platform | =2.6.1 | |
| Oracle Banking Platform | =2.6.2 | |
| Oracle Banking Platform | =2.7.0 | |
| Oracle Banking Platform | =2.7.1 | |
| Oracle Banking Platform | =2.9.0 | |
| Oracle Big Data Discovery | =1.6 | |
| Oracle Communications Diameter Signaling Router Idih\ | =8.0.0 | |
| Oracle Communications Diameter Signaling Router Idih\ | =8.2.2 | |
| Oracle Endeca Information Discovery Studio | =3.2.0 | |
| Oracle Enterprise Manager Base Platform | =12.1.0.5 | |
| Oracle Enterprise Manager Base Platform | =13.3.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle Enterprise Repository | =12.1.3.0.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.0.9 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.6 | |
| Oracle Financial Services Market Risk Measurement and Management | =8.0.8 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Insurance Policy Administration J2EE | =11.0.2 | |
| Oracle Insurance Policy Administration J2EE | =11.1.0 | |
| Oracle Insurance Policy Administration J2EE | =11.2.0 | |
| Oracle Insurance Rules Palette | =10.2.0 | |
| Oracle Insurance Rules Palette | =10.2.4 | |
| Oracle Insurance Rules Palette | =11.0.2 | |
| Oracle Insurance Rules Palette | =11.1.0 | |
| Oracle Insurance Rules Palette | =11.2.0 | |
| Oracle JDeveloper | =12.2.1.4.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
| Oracle Primavera Gateway | =17.12.6 | |
| Oracle Primavera Gateway | =18.8.8.1 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Retail Clearance Optimization Engine | =14.0 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Retail Order Broker | =16.0 | |
| Oracle Retail Predictive Application Server | =15.0.3 | |
| Oracle Retail Predictive Application Server | =16.0.3 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 | |
| Oracle WebCenter Sites | =12.2.1.3.0 | |
| Oracle WebCenter Sites | =12.2.1.4.0 |
Remedy
The vulnerability is in the XSSFExportToXml util; avoid usage of this tool to mitigate the vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-12415 https://nvd.nist.gov/vuln/detail/CVE-2019-12415
- https://bugzilla.redhat.com/show_bug.cgi?id=1802531
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2019-12415
- https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e@%3Cannounce.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802532
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c@%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/170015
- https://www.ibm.com/support/pages/node/6520510 (Advisory)
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3E
Frequently Asked Questions
What is CVE-2019-12415?
CVE-2019-12415 is a vulnerability in Apache POI that allows a remote attacker to obtain sensitive information through an XML external entity (XXE) error.
How does CVE-2019-12415 affect Apache POI?
CVE-2019-12415 affects Apache POI up to version 4.1.0.
What is the severity of CVE-2019-12415?
CVE-2019-12415 has a severity rating of medium.
How can a remote attacker exploit CVE-2019-12415?
A remote attacker can exploit CVE-2019-12415 by sending a specially-crafted document to the tool XSSFExportToXml, which can result in obtaining sensitive information.
Where can I find more information about CVE-2019-12415?
You can find more information about CVE-2019-12415 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-12415) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-12415).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12415
- agent/software-canonical-lookup
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/apache
- canonical/apache poi
- version/apache poi/4.1.0
- vendor/oracle
- canonical/oracle application testing suite
- version/oracle application testing suite/12.5.0.3
- version/oracle application testing suite/13.1.0.1
- version/oracle application testing suite/13.2.0.1
- version/oracle application testing suite/13.3.0.1
- canonical/oracle banking enterprise originations
- version/oracle banking enterprise originations/2.7.0
- version/oracle banking enterprise originations/2.8.0
- canonical/oracle banking enterprise product manufacturing
- version/oracle banking enterprise product manufacturing/2.7.0
- version/oracle banking enterprise product manufacturing/2.8.0
- canonical/oracle banking payments
- version/oracle banking payments/14.0.0
- version/oracle banking payments/14.1.0
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.4.1
- version/oracle banking platform/2.5.0
- version/oracle banking platform/2.6.0
- version/oracle banking platform/2.6.1
- version/oracle banking platform/2.6.2
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.7.1
- version/oracle banking platform/2.9.0
- canonical/oracle big data discovery
- version/oracle big data discovery/1.6
- canonical/oracle communications diameter signaling router idih\
- version/oracle communications diameter signaling router idih\/8.0.0
- version/oracle communications diameter signaling router idih\/8.2.2
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/12.1.0.5
- version/oracle enterprise manager base platform/13.3.0.0
- version/oracle enterprise manager base platform/13.4.0.0
- canonical/oracle enterprise repository
- version/oracle enterprise repository/12.1.3.0.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6
- version/oracle financial services analytical applications infrastructure/8.0.9
- canonical/oracle financial services market risk measurement and management
- version/oracle financial services market risk measurement and management/8.0.6
- version/oracle financial services market risk measurement and management/8.0.8
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle insurance policy administration j2ee
- version/oracle insurance policy administration j2ee/11.0.2
- version/oracle insurance policy administration j2ee/11.1.0
- version/oracle insurance policy administration j2ee/11.2.0
- canonical/oracle insurance rules palette
- version/oracle insurance rules palette/10.2.0
- version/oracle insurance rules palette/10.2.4
- version/oracle insurance rules palette/11.0.2
- version/oracle insurance rules palette/11.1.0
- version/oracle insurance rules palette/11.2.0
- canonical/oracle jdeveloper
- version/oracle jdeveloper/12.2.1.4.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.6
- version/oracle primavera gateway/18.8.8.1
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- canonical/oracle retail clearance optimization engine
- version/oracle retail clearance optimization engine/14.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- version/oracle retail order broker/16.0
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/15.0.3
- version/oracle retail predictive application server/16.0.3
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- canonical/oracle webcenter sites
- version/oracle webcenter sites/12.2.1.3.0
- version/oracle webcenter sites/12.2.1.4.0