Author: fanningpj
Date: Fri Mar 4 11:14:09 2022
New Revision: 1898594
URL: http://svn.apache.org/viewvc?rev=1898594&view=rev
Log:
cve
Modified:
poi/site/src/documentation/content/xdocs/index.xml
Modified: poi/site/src/documentation/content/xdocs/index.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1898594&r1=1898593&r2=1898594&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Fri Mar 4 11:14:09 2022
@@ -27,6 +27,21 @@
<body>
<section><title>Project News</title>
+ <section><title>4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF
file can cause an out of memory exception in Apache POI poi-scratchpad versions
prior to 5.2.0</title>
+ <p>Description:<br/>
+ A shortcoming in the HMEF package of poi-scratchpad (Apache POI)
allows an attacker to cause an Out of Memory exception.
+ This package is used to read TNEF files (Microsoft Outlook and
Microsoft Exchange Server).
+ If an application uses poi-scratchpad to parse TNEF files and the
application allows untrusted users to supply them, then a carefully crafted
file can cause an Out of Memory exception.</p>
+
+ <p>Mitigation:<br/>
+ Affected users are advised to update to poi-scratchpad 5.2.1 or above
+ which fixes this vulnerability. It is recommended that you use the
same versions of all POI jars.</p>
+
+ <p>References:
+ <a
href="https://en.wikipedia.org/wiki/XML_external_entity_attack";>XML external
entity attack</a>
+ </p>
+ </section>
+
<!-- latest final release -->
<section><title>3 March 2022 - POI 5.2.1 available</title>
<p>The Apache POI team is pleased to announce the release of 5.2.1.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
