Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

Related Vulnerabilities

CVE-2023-27480 Vulnerability in maven package org.xwiki.platform:xwiki-platform-xar-model

CVE-2018-19361 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-36181 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-40634 Vulnerability in maven package org.craftercms:craftercms

CVE-2020-2182 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory