CVE-2019-12415
XML External Entity (XXE) vulnerability in poi (Maven)
What is CVE-2019-12415 About?
Apache POI up to version 4.1.0 is vulnerable to XML External Entity (XXE) processing when using the XSSFExportToXml tool. A specially crafted Microsoft Excel document can be exploited to read local files or access internal network resources, posing a significant risk to data confidentiality and integrity.
Affected Software
Technical Details
The vulnerability exists in Apache POI up to version 4.1.0, specifically when the XSSFExportToXml tool is used to process user-provided Microsoft Excel documents. The XSSFExportToXml tool is designed to convert Excel data into XML format. However, it fails to properly disable or secure the XML parser against external entity processing. An attacker can embed specially formed XML external entity references within the Excel document. When this document is processed by XSSFExportToXml, the XML parser resolves these external entities, allowing it to retrieve content from arbitrary local files or initiate requests to internal network resources. This leads to the unintended disclosure of sensitive information or interaction with internal systems.
What is the Impact of CVE-2019-12415?
Successful exploitation may allow attackers to read arbitrary files from the local filesystem or make requests to internal network resources, potentially leading to information disclosure, server-side request forgery (SSRF), or further internal network attacks.
What is the Exploitability of CVE-2019-12415?
Exploiting this vulnerability requires an attacker to create a specially crafted Microsoft Excel document containing XML external entity (XXE) payloads. The complexity is moderate, requiring knowledge of XXE injection techniques and the specific XML structures within Excel documents processed by Apache POI. No authentication is typically required for the initial file upload/processing if the application accepts untrusted documents. This is generally a remote attack, as an attacker would submit the malicious document to a server-side application. The key condition is that the application must use XSSFExportToXml to process user-supplied Excel documents. The likelihood of exploitation increases if the application publicly exposes an endpoint for document uploads or transformations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-12415?
Available Upgrade Options
- org.apache.poi:poi
- <4.1.1 → Upgrade to 4.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-12415
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007@%3Cuser.tika.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-12415?
Similar Vulnerabilities: CVE-2017-1000021 , CVE-2017-7657 , CVE-2018-1000600 , CVE-2020-1945 , CVE-2021-20092
