You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by fa...@apache.org on 2022/03/04 11:14:09 UTC
svn commit: r1898594 - /poi/site/src/documentation/content/xdocs/index.xml
Author: fanningpj
Date: Fri Mar 4 11:14:09 2022
New Revision: 1898594
URL: http://svn.apache.org/viewvc?rev=1898594&view=rev
Log:
cve
Modified:
poi/site/src/documentation/content/xdocs/index.xml
Modified: poi/site/src/documentation/content/xdocs/index.xml
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1898594&r1=1898593&r2=1898594&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Fri Mar 4 11:14:09 2022
@@ -27,6 +27,21 @@
<body>
<section><title>Project News</title>
+ <section><title>4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0</title>
+ <p>Description:<br/>
+ A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception.
+ This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server).
+ If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.</p>
+
+ <p>Mitigation:<br/>
+ Affected users are advised to update to poi-scratchpad 5.2.1 or above
+ which fixes this vulnerability. It is recommended that you use the same versions of all POI jars.</p>
+
+ <p>References:
+ <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a>
+ </p>
+ </section>
+
<!-- latest final release -->
<section><title>3 March 2022 - POI 5.2.1 available</title>
<p>The Apache POI team is pleased to announce the release of 5.2.1.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org