{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26336", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T05:03:32.643Z", "dateReserved": "2022-03-01T00:00:00", "datePublished": "2022-03-04T00:00:00"}, "containers": {"cna": {"title": "A carefully crafted TNEF file can cause an out of memory exception", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1."}], "affected": [{"vendor": "Apache Software Foundation", "product": "poi-scratchpad", "versions": [{"version": "unspecified", "lessThanOrEqual": "5.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j"}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0006/"}], "credits": [{"lang": "en", "value": "Apache POI would like to thank Craig Haft of Yahoo Inc. for reporting and providing a patch for this issue."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["https://bz.apache.org/bugzilla/show_bug.cgi?id=65899"], "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:32.643Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0006/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*", "matchCriteriaId": "A853FEC8-0927-4637-A352-BB91914AFFCD", "versionEndExcluding": "5.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1."}, {"lang": "es", "value": "Un fallo en el paquete HMEF de poi-scratchpad (Apache POI) permite a un atacante causar una excepci\u00f3n de Falta de Memoria. Este paquete es usado para leer archivos TNEF (Microsoft Outlook y Microsoft Exchange Server). Si una aplicaci\u00f3n usa poi-scratchpad para analizar archivos TNEF y la aplicaci\u00f3n permite que usuarios no confiables los suministren, entonces un archivo cuidadosamente dise\u00f1ado puede causar una excepci\u00f3n de Falta de Memoria. Este problema afecta a versi\u00f3n 5.2.0 de poi-scratchpad y versiones anteriores. Es recomendado a usuarios actualizar a poi-scratchpad versi\u00f3n 5.2.1"}], "id": "CVE-2022-26336", "lastModified": "2022-12-07T03:01:18.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T16:15:10.923", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0006/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "poi-scratchpad", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}], "bugzilla": {"description": "poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception", "id": "2063292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2063292"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1."], "name": "CVE-2022-26336", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Will not fix", "package_name": "poi-scratchpad", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "poi-scratchpad", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "poi-scratchpad", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "poi-scratchpad", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "poi-scratchpad", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "poi-scratchpad", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2022-03-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-26336\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-26336"], "threat_severity": "Low"}