Apache POI Vulnerability CVE-2022-26336 

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-309

 

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions


Severity 

low


Description

CVE-2022-26336

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.

This is unlikely to affect brXM, since the necessary payload file types are not part of the set that is configured by default as acceptable for uploads by content editors. However, this file type set is configurable by customers, so there is some risk if such a customization has been done within a project. The risk is mitigated by the fact that file uploads are typically allowed only by trusted content editors.

Instructions

Update to the latest version.