{
  "threat_severity" : "Low",
  "public_date" : "2022-03-04T00:00:00Z",
  "bugzilla" : {
    "description" : "poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception",
    "id" : "2063292",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2063292"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "poi-scratchpad"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Fix deferred",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Fix deferred",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Fix deferred",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Fix deferred",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Out of support scope",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "poi-scratchpad",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-26336\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-26336" ],
  "name" : "CVE-2022-26336",
  "csaw" : false
}