SICSR-18045
| [SICSR-18045] Issue with Apache POI where a specially crafted document can allow an attacker to read files from the local file system or the internal network resources | |
|---|---|
| Product Line: | Cede |
| Component/s: | |
| Affects Version/s: | |
| Fix Version/s: | SICS 20.1 |
| Customer: | DXC |
Problem:
Name
CVE-2019-12415
Description
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE
CWE-611
CVSS v2.0 Severity
LOW
CVSS v3.0 Severity
Dependency
poi-3.17.jar
Solution:
Upgrade to Apache POI 4.1.1
Workaround:
Root Cause:
Extent of Impact:
Impact on Existing Data
Recovery Method for Existing Data Affected