CVE-2017-12626: Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops...
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Security readout for executives and security teams
Apache POI before 3.17 can be forced to hang or exhaust memory while processing specially crafted document and image-related formats. For businesses, the practical risk is service disruption in applications that parse uploaded or received Office-style files. The source bundle does not show data theft, data modification, or confirmed active exploitation. Exposure is most likely in applications or downstream products that embed Apache POI < 3.17 and parse untrusted documents, email messages, macros, or Office files. Public upload services, document conversion workflows, indexing pipelines, and backend automation are the highest concern when reachable by unauthenticated users. Prioritize remediation for internet-facing or business-critical document-processing systems. This is a high availability risk rather than a data breach indicator from the supplied sources, so urgency should track service criticality, external reachability, and whether untrusted files are processed automatically. Mitigation focus: Upgrade Apache POI to 3.17 or later where directly managed.; Apply vendor-supported package updates for products bundling Apache POI.; Review Red Hat and Oracle advisories for downstream patched versions..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-835: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-835 · source CWE mapping
Loop with Unreachable Exit Condition ('Infinite Loop')
Loop with Unreachable Exit Condition ('Infinite Loop') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.