You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@poi.apache.org by fa...@apache.org on 2022/03/04 11:14:09 UTC

svn commit: r1898594 - /poi/site/src/documentation/content/xdocs/index.xml

Author: fanningpj
Date: Fri Mar  4 11:14:09 2022
New Revision: 1898594

URL: http://svn.apache.org/viewvc?rev=1898594&view=rev
Log:
cve

Modified:
    poi/site/src/documentation/content/xdocs/index.xml

Modified: poi/site/src/documentation/content/xdocs/index.xml
URL: http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/index.xml?rev=1898594&r1=1898593&r2=1898594&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/index.xml (original)
+++ poi/site/src/documentation/content/xdocs/index.xml Fri Mar  4 11:14:09 2022
@@ -27,6 +27,21 @@
   <body>
     <section><title>Project News</title>
 
+      <section><title>4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0</title>
+        <p>Description:<br/>
+          A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception.
+          This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server).
+          If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.</p>
+
+        <p>Mitigation:<br/>
+          Affected users are advised to update to poi-scratchpad 5.2.1 or above
+          which fixes this vulnerability. It is recommended that you use the same versions of all POI jars.</p>
+
+        <p>References:
+          <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a>
+        </p>
+      </section>
+
       <!-- latest final release -->
       <section><title>3 March 2022 - POI 5.2.1 available</title>
         <p>The Apache POI team is pleased to announce the release of 5.2.1.



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org