CVE-2017-12626
7.5 HIGHApache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EM...
Published: 2018-01-29 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-835
Affected products
| Vendor | Product |
|---|---|
| apache | poi |
Description
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2017-12626
- [Other]http://www.securityfocus.com/bid/102879
- [Other]https://access.redhat.com/errata/RHSA-2018:1322
- [Other]https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
- [Other]https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- [Other]https://www.oracle.com/security-alerts/cpuApr2021.html
- [Other]https://www.oracle.com/security-alerts/cpuapr2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2021.html
- [Other]https://www.oracle.com/security-alerts/cpujul2020.html
- [Other]https://www.oracle.com/security-alerts/cpuoct2020.html
- [Other]https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- [Other]http://www.securityfocus.com/bid/102879
- [Other]https://access.redhat.com/errata/RHSA-2018:1322
- [Other]https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b%40%3Cdev.poi.apache.org%3E
- [Other]https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- [Other]https://www.oracle.com/security-alerts/cpuApr2021.html
- [Other]https://www.oracle.com/security-alerts/cpuapr2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2020.html
- [Other]https://www.oracle.com/security-alerts/cpujan2021.html
- [Other]https://www.oracle.com/security-alerts/cpujul2020.html
- [Other]https://www.oracle.com/security-alerts/cpuoct2020.html
- [Other]https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Related CVEs
Same vendor
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
- CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
Same CWE
- CVE-2026-48733 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.7 MEDIUM)
- CVE-2026-46521 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2026-49495 — Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection ... (5.5 MEDIUM)
- CVE-2025-71330 — image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event l... (7.5 HIGH)