Apache POI Vulnerability CVE-2022-26336

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-309

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions

Severity

low

Description

CVE-2022-26336

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.

This is unlikely to affect brXM, since the necessary payload file types are not part of the set that is configured by default as acceptable for uploads by content editors. However, this file type set is configurable by customers, so there is some risk if such a customization has been done within a project. The risk is mitigated by the fact that file uploads are typically allowed only by trusted content editors.

Instructions

Update to the latest version.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Apache POI Vulnerability CVE-2022-26336