CVE-2017-12626

Summary

CVE	CVE-2017-12626
State	PUBLISHED
Assigner	apache
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-01-29 17:29:00 UTC
Updated	2026-05-28 19:16:24 UTC
Description	Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from ADP

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.011140000 probability, percentile 0.784770000 (date 2026-06-01)

Problem Types: CWE-835 | Denial of Service Vulnerabilities | CWE-835 CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
3.0	[email protected]	Primary	7.5	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
2.0	[email protected]	Primary	5		`AV:N/AC:L/Au:N/C:N/I:N/A:P`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Poi	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Apache Software Foundation	Apache POI	affected < 3.17	Not specified

References

Reference	Source	Link	Tags
Oracle Critical Patch Update Advisory - January 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Oracle Critical Patch Update Advisory - April 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Oracle Critical Patch Update - October 2019	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Oracle Critical Patch Update Advisory - October 2020	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Oracle Critical Patch Update Advisory - April 2020	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Apache POI CVE-2017-12626 Multiple Denial of Service Vulnerabilities	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Third Party Advisory, VDB Entry
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Oracle Critical Patch Update Advisory - January 2020	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Oracle Critical Patch Update Advisory - July 2020	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

20297 Oracle Database 18c Critical OJVM Patch Update - October 2020
20313 Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2020
982267 Java (maven) Security Update for org.apache.poi:poi (GHSA-523c-xh4g-mh5m)