CVE-2019-12415, and CVE-2022-26336

stonebranch2

Registered Developer

Join Date: May 2012

Posts: 709
#1

CVE-2019-12415, and CVE-2022-26336

17 Oct 2023, 05:28

Hi Isomorphic,

The poi-3.17.jar dependency has the following MEDIUM severity CVEs against it.

CVE-2019-12415

In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

CVE-2022-26336

A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.

Is SmartGWT impacted by these?

Thank you
Tags: None
Isomorphic

Administrator

Join Date: May 2006

Posts: 53991
#2

17 Oct 2023, 06:46

Not vulnerable - we don't use POI for either of these purposes.
Comment
stonebranch2

Registered Developer

Join Date: May 2012

Posts: 709
#3

17 Oct 2023, 07:02

Thank you
Comment

Previous template Next

Announcement