Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcXZwLTdycmctOWp4Y80wYw
Improper Input Validation and Allocation of Resources Without Limits or Throttling in poi-scratchpad
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
Permalink: https://github.com/advisories/GHSA-mqvp-7rrg-9jxcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcXZwLTdycmctOWp4Y80wYw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-mqvp-7rrg-9jxc, CVE-2022-26336
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-26336
- https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j
- https://security.netapp.com/advisory/ntap-20221028-0006
- https://github.com/advisories/GHSA-mqvp-7rrg-9jxc
Affected Packages
maven:org.apache.poi:poi-scratchpad
Dependent packages: 379Dependent repositories: 11,730
Downloads:
Affected Version Ranges: >= 3.8-beta1, < 5.2.1
Fixed in: 5.2.1
All affected versions: 3.10.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 5.0.0, 5.1.0, 5.2.0
All unaffected versions: 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0