Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

Related Vulnerabilities

CVE-2019-1003056 Vulnerability in maven package org.jenkins-ci.plugins:websphere-deployer

CVE-2022-43412 Vulnerability in maven package org.jenkins-ci.plugins:generic-webhook-trigger

CVE-2023-40345 Vulnerability in maven package org.jenkins-ci.plugins:delphix

CVE-2023-45648 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-24999 Vulnerability in maven package org.webjars:qs

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory