-
Also not vulnerable - this is an issue with parsing files, but we use POI only for generation.
We're assuming you realized this and just wanted to have an official vendor confirmation - so now you have that!Leave a comment:
-
Hi Isomorphic,
Can you please confirm SmartGWT is not impacted by the following Apache POI dependency CVE.
https://nvd.nist.gov/vuln/detail/CVE-2025-31672
https://lists.apache.org/thread/k14w...zldko78kpylkq5
Thank youLeave a comment:
-
CVE-2019-12415, and CVE-2022-26336
Hi Isomorphic,
The poi-3.17.jar dependency has the following MEDIUM severity CVEs against it.
CVE-2019-12415
CVE-2022-26336In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
Is SmartGWT impacted by these?A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
Thank you
- You need to login (link above) before you can post. If you do not yet have an account, please register.
Leave a comment: