Description

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Remediation

References

https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E

https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E

https://security.netapp.com/advisory/ntap-20210507-0004/

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2022-45378 Vulnerability in maven package soap:soap

CVE-2023-48219 Vulnerability in maven package org.webjars:tinymce

CVE-2021-39187 Vulnerability in npm package parse-server

CVE-2020-15095 Vulnerability in maven package org.webjars.bower:npm

CVE-2020-14389 Vulnerability in maven package org.keycloak:keycloak-core

Severity

Medium

Classification

CWE-835 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory Patch