CVE-2017-12626

HIGH7.5EPSS 1.1%

Denial of Service in Apache POI

Published: 1/14/2021Modified: 11/8/2023

Also known as:GHSA-523c-xh4g-mh5mDEBIAN-CVE-2017-12626

Description

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: - Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294) - Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295)

Affected packages (2)

Debian/libapache-poi-javafrom 0, < 3.17-1
Maven/org.apache.poi:poifrom 0, < 3.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (14)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12626
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-12626
PATCHhttps://github.com/apache/poi
WEBhttps://access.redhat.com/errata/RHSA-2018:1322
WEBhttps://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b@%3Cdev.poi.apache.org%3E
WEBhttps://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
WEBhttps://www.oracle.com/security-alerts/cpuapr2020.html
WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html
WEBhttps://www.oracle.com/security-alerts/cpujan2020.html
WEBhttps://www.oracle.com/security-alerts/cpujan2021.html
WEBhttps://www.oracle.com/security-alerts/cpujul2020.html
WEBhttps://www.oracle.com/security-alerts/cpuoct2020.html
WEBhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
WEBhttp://www.securityfocus.com/bid/102879