CVE-2017-12626
HIGHApache POI < 3.17 - Denial of Service via Crafted WMF EMF MSG Macro DOC PPT XLS Parsing
Title source: llmDescription
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
References (11)
Core 11
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1322
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102879
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Scores
CVSS v3
7.5
EPSS
0.1025
EPSS Percentile
95.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-835
Status
published
Products (3)
apache/poi
< 3.17
Apache Software Foundation/Apache POI
< 3.17
org.apache.poi/poi
0 - 3.17Maven
Published
Jan 29, 2018
Tracked Since
Feb 18, 2026