Description
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
References (11)
Core 11
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1322
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102879
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
Scores
CVSS v3
7.5
EPSS
0.0127
EPSS Percentile
79.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (2)
apache/poi
< 3.17
org.apache.poi/poi
0 - 3.17Maven
Published
Jan 29, 2018
Tracked Since
Feb 18, 2026