CVE-2022-26336

CWE-20Improper Input ValidationCWE-770Allocation without Limits7 documents6 sources
Severity
5.5MEDIUM
EPSS
0.0%
top 87.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache POIApache Software Foundation Poi-scratchpad
Timeline
PublishedMar 4
Latest updateJan 15

Description

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.poi:poi-scratchpad3.8-beta15.2.1
CVEListV5apache_software_foundation/poi-scratchpadunspecified5.2.0
NVDapache/poi< 5.2.1

🔴Vulnerability Details

4
GHSA
Improper Input Validation and Allocation of Resources Without Limits or Throttling in poi-scratchpad2022-03-05
OSV
Improper Input Validation and Allocation of Resources Without Limits or Throttling in poi-scratchpad2022-03-05
OSV
CVE-2022-26336: A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception2022-03-04
CVEList
A carefully crafted TNEF file can cause an out of memory exception2022-03-04

📋Vendor Advisories

2
Oracle
Oracle Oracle JD Edwards Risk Matrix: Web Runtime SEC (Apache POI) — CVE-2022-263362023-01-15
Red Hat
poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception2022-03-04
CVE-2022-26336 (MEDIUM CVSS 5.5) | A shortcoming in the HMEF package o | cvebase.io