CVE-2022-26336: Improper Input Validation and Allocation of Resources Without Limits or Throttling in poi-scratchpad

March 5, 2022 (updated May 14, 2024)

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.

References

github.com/advisories/GHSA-mqvp-7rrg-9jxc
lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j
nvd.nist.gov/vuln/detail/CVE-2022-26336

Detect and mitigate CVE-2022-26336 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →