Vulnerability Identifier
CVE-2019-12415
2019-10-23
Severity Assessment
5.5
MEDIUM
CVSS v3.x Score
Clinical Analysis (Description)
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Vector Sequencing
Attack Parameters
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Impact Consequences
Technical Impact
Unchanged
Scope
High
Confidentiality
None
Integrity
None
Availability
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v2 Score (Legacy)
2.1
For backward compatibility
EPSS Probability
0.02%
Percentile: 6.2%
Affected Population
Affected Configurations
Total: 125 detected entries
Software List
Scrollable
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.0.0
or
endeca_information_discovery_studio
Vendor: oracle • v3.2.0
or
banking_platform
Vendor: oracle • v2.4.1
or
instantis_enterprisetrack
Vendor: oracle • v17.3
ap
poi
Vendor: apache • v1.1.0
ap
poi
Vendor: apache • v3.10
or
primavera_unifier
Vendor: oracle • v17.10
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.7.2.0
or
peoplesoft_enterprise_peopletools
Vendor: oracle • v8.59
ap
poi
Vendor: apache • v1.7
ap
poi
Vendor: apache • v2.5
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.8.6
or
flexcube_private_banking
Vendor: oracle • v12.1.0
ap
poi
Vendor: apache • v3.11
or
application_testing_suite
Vendor: oracle • v13.2.0.1
or
insurance_policy_administration_j2ee
Vendor: oracle • v11.0.2
or
primavera_unifier
Vendor: oracle • v17.9
ap
poi
Vendor: apache • v3.13
ap
poi
Vendor: apache • v0.11.0
or
primavera_unifier
Vendor: oracle • v16.2
or
banking_platform
Vendor: oracle • v2.6.1
ap
poi
Vendor: apache • v3.14
ap
poi
Vendor: apache • v1.2.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.7
ap
poi
Vendor: apache • v0.4
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.9
or
retail_order_broker
Vendor: oracle • v16.0
or
jdeveloper
Vendor: oracle • v12.2.1.4.0
ap
poi
Vendor: apache • v0.14.0
or
primavera_unifier
Vendor: oracle • v17.11
or
retail_predictive_application_server
Vendor: oracle • v15.0.3
ap
poi
Vendor: apache • v3.2
ap
poi
Vendor: apache • v1.0.0
or
peoplesoft_enterprise_peopletools
Vendor: oracle • v8.57
or
hyperion_infrastructure_technology
Vendor: oracle • v11.1.2.4
or
enterprise_manager_base_platform
Vendor: oracle • v12.1.0.5
or
instantis_enterprisetrack
Vendor: oracle • v17.2
ap
poi
Vendor: apache • v0.12.0
or
insurance_rules_palette
Vendor: oracle • v10.2.4
or
financial_services_market_risk_measurement_and_management
Vendor: oracle • v8.0.6
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.7.0.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.8
ap
poi
Vendor: apache • v2.0
or
retail_clearance_optimization_engine
Vendor: oracle • v14.0
ap
poi
Vendor: apache • v0.2
ap
poi
Vendor: apache • v0.10.0
or
primavera_unifier
Vendor: oracle • v17.8
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.7.1.0
or
enterprise_manager_base_platform
Vendor: oracle • v13.3.0.0
or
application_testing_suite
Vendor: oracle • v12.5.0.3
or
peoplesoft_enterprise_peopletools
Vendor: oracle • v8.58
or
application_testing_suite
Vendor: oracle • v13.1.0.1
ap
poi
Vendor: apache • v0.1
or
retail_predictive_application_server
Vendor: oracle • v16.0.3
or
insurance_rules_palette
Vendor: oracle • v11.2.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.0.1
or
banking_payments
Vendor: oracle • v14.0.0
ap
poi
Vendor: apache • v3.7
or
application_testing_suite
Vendor: oracle • v13.3.0.1
or
insurance_policy_administration_j2ee
Vendor: oracle • v11.1.0
or
flexcube_private_banking
Vendor: oracle • v12.0.0
or
banking_enterprise_originations
Vendor: oracle • v2.8.0
ap
poi
Vendor: apache • v0.13.0
or
primavera_unifier
Vendor: oracle • v19.12
or
insurance_rules_palette
Vendor: oracle • v10.2.0
ap
poi
Vendor: apache • v3.0.2
ap
poi
Vendor: apache • v4.1.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.8.0.0
or
instantis_enterprisetrack
Vendor: oracle • v17.1
ap
poi
Vendor: apache • v0.5
or
banking_payments
Vendor: oracle • v14.1.0
ap
poi
Vendor: apache • v1.8
ap
poi
Vendor: apache • v3.6
or
retail_order_broker
Vendor: oracle • v15.0
or
primavera_unifier
Vendor: oracle • v17.7
ap
poi
Vendor: apache • v3.17
ap
poi
Vendor: apache • v0.7
or
banking_enterprise_product_manufacturing
Vendor: oracle • v2.8.0
or
banking_platform
Vendor: oracle • v2.4.0
or
webcenter_sites
Vendor: oracle • v12.2.1.4.0
ap
poi
Vendor: apache • v2.5.1
ap
poi
Vendor: apache • v1.0.1
or
webcenter_sites
Vendor: oracle • v12.2.1.3.0
or
enterprise_manager_base_platform
Vendor: oracle • v13.4.0.0
or
primavera_gateway
Vendor: oracle • v18.8.8.1
or
insurance_rules_palette
Vendor: oracle • v11.1.0
or
banking_platform
Vendor: oracle • v2.7.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.3.0
or
financial_services_market_risk_measurement_and_management
Vendor: oracle • v8.0.8
ap
poi
Vendor: apache • v1.5.1
or
banking_platform
Vendor: oracle • v2.6.2
ap
poi
Vendor: apache • v0.6
ap
poi
Vendor: apache • v1.0.2
ap
poi
Vendor: apache • v3.5
ap
poi
Vendor: apache • v3.8
or
insurance_rules_palette
Vendor: oracle • v11.0.2
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.8.5
or
webcenter_portal
Vendor: oracle • v12.2.1.4.0
or
insurance_policy_administration_j2ee
Vendor: oracle • v11.2.0
or
banking_platform
Vendor: oracle • v2.7.1
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.1.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.7.8
ap
poi
Vendor: apache • v0.3
or
primavera_unifier
Vendor: oracle • v17.12
or
webcenter_portal
Vendor: oracle • v12.2.1.3.0
ap
poi
Vendor: apache • v1.10
or
banking_platform
Vendor: oracle • v2.9.0
ap
poi
Vendor: apache • v3.9
or
banking_enterprise_originations
Vendor: oracle • v2.7.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.9.0.0
or
enterprise_repository
Vendor: oracle • v12.1.3.0.0
ap
poi
Vendor: apache • v1.5
or
primavera_unifier
Vendor: oracle • v16.1
ap
poi
Vendor: apache • v3.0.1
or
primavera_gateway
Vendor: oracle • v17.12.6
or
banking_enterprise_product_manufacturing
Vendor: oracle • v2.7.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.4.0
ap
poi
Vendor: apache • v3.1
or
banking_platform
Vendor: oracle • v2.6.0
or
financial_services_analytical_applications_infrastructure
Vendor: oracle • v8.0.6.2.0
or
banking_platform
Vendor: oracle • v2.5.0
ap
poi
Vendor: apache • v3.0
or
primavera_unifier
Vendor: oracle • v18.8
or
big_data_discovery
Vendor: oracle • v1.6
Timeline
Time Line
PUBLICATION
23 Oct 2019
MODIFICATION
21 Nov 2024
FIRST PATCH
21 Jan 2025
Impact Statistics
Key Metrics
CVSS Score
5.5
MEDIUM
Products
125
Affected
Patches
1
Available
Remediation Protocol
Recommended Solution
No automatic solution found. Check vendor references.
Patch Library
Recommended Actions for Administrators
Immediate Action Plan
1. Inventory
Identify all affected systems in your infrastructure.
2. Assessment
Assess exposure and criticality for your organization.
3. Mitigation
Apply patches or available workarounds.
4. Verification
Test and confirm effectiveness of applied measures.