[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of mem
From:       PJ Fanning <fanningpj () apache ! org>
Date:       2022-03-04 11:04:02
Message-ID: 916e8648-6c5b-ae73-8a09-549c6c10bbf7 () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an \
Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and \
Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the \
application allows untrusted users to supply them, then a carefully crafted file can cause an \
Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. \
Users are recommended to upgrade to poi-scratchpad 5.2.1.

This issue is being tracked as https://bz.apache.org/bugzilla/show_bug.cgi?id=65899

Credit:

Apache POI would like to thank Craig Haft of Yahoo Inc. for reporting and providing a patch for \
this issue.


[prev in list] [next in list] [prev in thread] [next in thread]