svn commit: r1898595 - /poi/site/publish/index.html

Fri, 04 Mar 2022 03:17:03 -0800 

Author: fanningpj
Date: Fri Mar  4 11:16:57 2022
New Revision: 1898595

URL: http://svn.apache.org/viewvc?rev=1898595&view=rev
Log:
cve

Modified:
    poi/site/publish/index.html

Modified: poi/site/publish/index.html
URL: 
http://svn.apache.org/viewvc/poi/site/publish/index.html?rev=1898595&r1=1898594&r2=1898595&view=diff
==============================================================================
--- poi/site/publish/index.html (original)
+++ poi/site/publish/index.html Fri Mar  4 11:16:57 2022
@@ -179,6 +179,19 @@ document.write("Last Published: " + docu
 <a name="Project+News"></a>
 <h2 class="boxed">Project News</h2>
 <div class="section">
+<a 
name="4+March+2022+-+CVE-2022-26336+-+A+carefully+crafted+TNEF+file+can+cause+an+out+of+memory+exception+in+Apache+POI+poi-scratchpad+versions+prior+to+5.2.0"></a>
+<h3 class="boxed">4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF 
file can cause an out of memory exception in Apache POI poi-scratchpad versions 
prior to 5.2.0</h3>
+<p>Description:<br>
+          A shortcoming in the HMEF package of poi-scratchpad (Apache POI) 
allows an attacker to cause an Out of Memory exception.
+          This package is used to read TNEF files (Microsoft Outlook and 
Microsoft Exchange Server).
+          If an application uses poi-scratchpad to parse TNEF files and the 
application allows untrusted users to supply them, then a carefully crafted 
file can cause an Out of Memory exception.</p>
+<p>Mitigation:<br>
+          Affected users are advised to update to poi-scratchpad 5.2.1 or above
+          which fixes this vulnerability. It is recommended that you use the 
same versions of all POI jars.</p>
+<p>References:
+          <a 
href="https://en.wikipedia.org/wiki/XML_external_entity_attack";>XML external 
entity attack</a>
+        
+</p>
 <a name="3+March+2022+-+POI+5.2.1+available"></a>
 <h3 class="boxed">3 March 2022 - POI 5.2.1 available</h3>
 <p>The Apache POI team is pleased to announce the release of 5.2.1.



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to