{"id":"CVE-2019-12415","details":"In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.","aliases":["GHSA-9jwc-q6j3-8g9g"],"modified":"2026-04-10T04:14:27.671823Z","published":"2019-10-23T20:15:12.707Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/895164e03a3c327449069e2fd6ced0367561878b3ae6a8ec740c2007%40%3Cuser.tika.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/d88b8823867033514d7ec05d66f88c70dc207604d3dcbd44fd88464c%40%3Cuser.tika.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/13a54b6a03369cfb418a699180ffb83bd727320b6ddfec198b9b728e%40%3Cannounce.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/2ac0327748de0c2b3c1c012481b79936797c711724e0b7da83cf564c%40%3Cuser.tika.apache.org%3E"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/poi","events":[{"introduced":"0"},{"last_affected":"444e35e0d903f0b4fac96e8c8668953b196dabd4"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.1.0"}]}}],"versions":["REL_4_1_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.5.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"13.1.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.3.0.0"}]},{"events":[{"introduced":"8.0.6"},{"last_affected":"8.0.9"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.2"}]},{"events":[{"introduced":"0"},{"last_affected":"17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"17.12.6"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8.8.1"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"16.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12415.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}