{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26336", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2022-10-28T00:00:00", "dateReserved": "2022-03-01T00:00:00", "datePublished": "2022-03-04T00:00:00"}, "containers": {"cna": {"title": "A carefully crafted TNEF file can cause an out of memory exception", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-10-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1."}], "affected": [{"vendor": "Apache Software Foundation", "product": "poi-scratchpad", "versions": [{"version": "unspecified", "lessThanOrEqual": "5.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j"}, {"url": "https://security.netapp.com/advisory/ntap-20221028-0006/"}], "credits": [{"lang": "en", "value": "Apache POI would like to thank Craig Haft of Yahoo Inc. for reporting and providing a patch for this issue."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "moderate"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": ["https://bz.apache.org/bugzilla/show_bug.cgi?id=65899"], "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*", "matchCriteriaId": "A853FEC8-0927-4637-A352-BB91914AFFCD", "versionEndExcluding": "5.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1."}, {"lang": "es", "value": "Un fallo en el paquete HMEF de poi-scratchpad (Apache POI) permite a un atacante causar una excepci\u00f3n de Falta de Memoria. Este paquete es usado para leer archivos TNEF (Microsoft Outlook y Microsoft Exchange Server). Si una aplicaci\u00f3n usa poi-scratchpad para analizar archivos TNEF y la aplicaci\u00f3n permite que usuarios no confiables los suministren, entonces un archivo cuidadosamente dise\u00f1ado puede causar una excepci\u00f3n de Falta de Memoria. Este problema afecta a versi\u00f3n 5.2.0 de poi-scratchpad y versiones anteriores. Es recomendado a usuarios actualizar a poi-scratchpad versi\u00f3n 5.2.1"}], "id": "CVE-2022-26336", "lastModified": "2022-12-07T03:01:18.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-04T16:15:10.923", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/sprg0kq986pc2271dc3v2oxb1f9qx09j"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221028-0006/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}