![]() 13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0 Version (currently v2.20.0) - including log4j-api. We strongly recommend that they upgrade all their log4j dependencies to the latest If any POI or XMLBeans user uses log4j-core to control their logging of their application, The security vulnerabilities are not in log4j-api - they are in log4j-core. POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1. The Apache POI PMC has evaluated the security vulnerabilities reported It is recommended that you use the same versions of all POI jars. If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.Īffected users are advised to update to poi-scratchpad 5.2.1 or above This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). 4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0Ī shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. POI requires Java 8 or newer since version 4.0.1. People interested should also follow the dev list to track progress. ![]() Several dependencies were updated to their latest versions to pick up security fixes and other improvements.Ī full list of changes is available in the change log. ![]() The Apache POI team is pleased to announce the release of 5.2.3.
0 Comments
Leave a Reply. |