Date: Tue, 22 Oct 2019 23:00:45 +0200 From: Dominik Stadler <centic@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache POI up to version 4.1.0 Description: When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing. Mitigation: Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml are not affected. affected users are advised to update to Apache POI 4.1.1 which fixes this vulnerability. Credit: This issue was discovered by Artem Smotrakov from SAP References: https://en.wikipedia.org/wiki/XML_external_entity_attack
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.