| 0 |
| url |
VCID-2yb7-v3m7-3ffz |
| vulnerability_id |
VCID-2yb7-v3m7-3ffz |
| summary |
Uncontrolled Resource Consumption
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-1950, GHSA-3h29-52vh-pqgr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2yb7-v3m7-3ffz |
|
| 1 |
| url |
VCID-42ad-sh45-7fev |
| vulnerability_id |
VCID-42ad-sh45-7fev |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-28657, GHSA-567x-m4wm-87v8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-42ad-sh45-7fev |
|
| 2 |
|
| 3 |
| url |
VCID-7snd-ac5u-bydy |
| vulnerability_id |
VCID-7snd-ac5u-bydy |
| summary |
Deserialization of Untrusted Data
Apache Tika allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes `JMatIO` to do native deserialization. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.tika/tika-core@1.14 |
| purl |
pkg:maven/org.apache.tika/tika-core@1.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2yb7-v3m7-3ffz |
|
| 1 |
| vulnerability |
VCID-2yxn-wffn-x7gr |
|
| 2 |
| vulnerability |
VCID-42ad-sh45-7fev |
|
| 3 |
| vulnerability |
VCID-7d9k-ekje-fbe1 |
|
| 4 |
| vulnerability |
VCID-8qc9-3mxe-8ydp |
|
| 5 |
| vulnerability |
VCID-98bu-vqgb-x7a8 |
|
| 6 |
| vulnerability |
VCID-c7gc-egj2-2yb9 |
|
| 7 |
| vulnerability |
VCID-dc2n-xs2k-abbz |
|
| 8 |
| vulnerability |
VCID-j6j1-yp44-hqdt |
|
| 9 |
| vulnerability |
VCID-jyak-stwf-f3gw |
|
| 10 |
| vulnerability |
VCID-q319-5s6s-aqab |
|
| 11 |
| vulnerability |
VCID-r5jk-9f46-rygg |
|
| 12 |
| vulnerability |
VCID-uj1b-pk9r-ryhz |
|
| 13 |
| vulnerability |
VCID-uyg4-mswu-s3f5 |
|
| 14 |
| vulnerability |
VCID-x3y9-rbfc-47b8 |
|
| 15 |
| vulnerability |
VCID-zj8z-ja31-mkcr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@1.14 |
|
|
| aliases |
CVE-2016-6809, GHSA-j8g6-2wh7-6439
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7snd-ac5u-bydy |
|
| 4 |
| url |
VCID-8qc9-3mxe-8ydp |
| vulnerability_id |
VCID-8qc9-3mxe-8ydp |
| summary |
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-33879, GHSA-6q8v-2hvm-fx37
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8qc9-3mxe-8ydp |
|
| 5 |
| url |
VCID-98bu-vqgb-x7a8 |
| vulnerability_id |
VCID-98bu-vqgb-x7a8 |
| summary |
Improper Restriction of XML External Entity Reference
In Apache Tika, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a DoS. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-11761, GHSA-6jq2-789q-fff2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-98bu-vqgb-x7a8 |
|
| 6 |
| url |
VCID-b19y-wyyt-4ff9 |
| vulnerability_id |
VCID-b19y-wyyt-4ff9 |
| summary |
Improper Restriction of XML External Entity Reference
Apache Tika does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.tika/tika-core@1.13 |
| purl |
pkg:maven/org.apache.tika/tika-core@1.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2yb7-v3m7-3ffz |
|
| 1 |
| vulnerability |
VCID-2yxn-wffn-x7gr |
|
| 2 |
| vulnerability |
VCID-42ad-sh45-7fev |
|
| 3 |
| vulnerability |
VCID-7d9k-ekje-fbe1 |
|
| 4 |
| vulnerability |
VCID-7snd-ac5u-bydy |
|
| 5 |
| vulnerability |
VCID-8qc9-3mxe-8ydp |
|
| 6 |
| vulnerability |
VCID-98bu-vqgb-x7a8 |
|
| 7 |
| vulnerability |
VCID-c7gc-egj2-2yb9 |
|
| 8 |
| vulnerability |
VCID-dc2n-xs2k-abbz |
|
| 9 |
| vulnerability |
VCID-j6j1-yp44-hqdt |
|
| 10 |
| vulnerability |
VCID-jyak-stwf-f3gw |
|
| 11 |
| vulnerability |
VCID-q319-5s6s-aqab |
|
| 12 |
| vulnerability |
VCID-r5jk-9f46-rygg |
|
| 13 |
| vulnerability |
VCID-uj1b-pk9r-ryhz |
|
| 14 |
| vulnerability |
VCID-uyg4-mswu-s3f5 |
|
| 15 |
| vulnerability |
VCID-x3y9-rbfc-47b8 |
|
| 16 |
| vulnerability |
VCID-zj8z-ja31-mkcr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@1.13 |
|
|
| aliases |
CVE-2016-4434, GHSA-4xr4-4c65-hj7f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b19y-wyyt-4ff9 |
|
| 7 |
| url |
VCID-c7gc-egj2-2yb9 |
| vulnerability_id |
VCID-c7gc-egj2-2yb9 |
| summary |
Improper Restriction of XML External Entity Reference
Tika reuses SAXParsers and calls `reset()` after each parse; the parser ignores entity expansion limits after the first parse. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-11796, GHSA-h8q5-g2cj-qr5h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c7gc-egj2-2yb9 |
|
| 8 |
| url |
VCID-j6j1-yp44-hqdt |
| vulnerability_id |
VCID-j6j1-yp44-hqdt |
| summary |
Path Traversal
In a rare edge case where a user does not specify an extract directory on the commandline (`--extract-dir=`) and the input file has an embedded file with an absolute path, tika-app would overwrite that file. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-11762, GHSA-w6g3-v46q-5p28
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j6j1-yp44-hqdt |
|
| 9 |
| url |
VCID-jyak-stwf-f3gw |
| vulnerability_id |
VCID-jyak-stwf-f3gw |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
In Apache Tikato, a carefully crafted file can trigger an infinite loop in the `IptcAnpaParser`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-8017, GHSA-j53j-gmr9-h8g3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jyak-stwf-f3gw |
|
| 10 |
| url |
VCID-uj1b-pk9r-ryhz |
| vulnerability_id |
VCID-uj1b-pk9r-ryhz |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-1951, GHSA-3264-3fm9-fg44
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uj1b-pk9r-ryhz |
|
| 11 |
|
| 12 |
|