Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

Related Vulnerabilities

CVE-2021-44878 Vulnerability in maven package org.pac4j:pac4j-core

CVE-2023-40014 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts

CVE-2022-41242 Vulnerability in maven package org.jenkins-ci.plugins:extreme-feedback

CVE-2023-37478 Vulnerability in npm package @pnpm/cafs

CVE-2021-40146 Vulnerability in maven package org.apache.any23:apache-any23-core

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory