CVE-2022-26336: A carefully crafted TNEF file can cause an out of memory exception
First published: Fri Mar 04 2022(Updated: )
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache POI | <5.2.1 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| maven/org.apache.poi:poi-scratchpad | >=3.8-beta1<5.2.1 | 5.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-26336 https://nvd.nist.gov/vuln/detail/CVE-2022-26336
- https://bugzilla.redhat.com/show_bug.cgi?id=2063292
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/security/cve/cve-2022-26336
- https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j
- https://nvd.nist.gov/vuln/detail/CVE-2022-26336
- https://security.netapp.com/advisory/ntap-20221028-0006/
- https://security.netapp.com/advisory/ntap-20221028-0006
- https://github.com/advisories/GHSA-mqvp-7rrg-9jxc (Advisory)
Frequently Asked Questions
What is CVE-2022-26336?
CVE-2022-26336 is a vulnerability in the HMEF package of poi-scratchpad (Apache POI) that allows an attacker to cause an Out of Memory exception by parsing TNEF files.
What software is affected by CVE-2022-26336?
Apache POI (up to version 5.2.1), Netapp Active IQ Unified Manager, Apple iPadOS, and Apple watchOS are affected by CVE-2022-26336.
How severe is CVE-2022-26336?
CVE-2022-26336 has a severity rating of 5.5 (Medium).
How can an attacker exploit CVE-2022-26336?
An attacker can exploit CVE-2022-26336 by providing a specially crafted TNEF file to an application that uses poi-scratchpad to parse TNEF files, causing an Out of Memory exception.
Is there a fix available for CVE-2022-26336?
Yes, users should update to a version of Apache POI beyond 5.2.1 to mitigate the vulnerability.
- collector/redhat-cve
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-26336
- agent/author
- agent/first-publish-date
- agent/weakness
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-mqvp-7rrg-9jxc
- agent/references
- agent/severity
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- vendor/apache
- canonical/apache poi
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- package-manager/maven