| 0 |
| url |
VCID-2yb7-v3m7-3ffz |
| vulnerability_id |
VCID-2yb7-v3m7-3ffz |
| summary |
Uncontrolled Resource Consumption
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-1950, GHSA-3h29-52vh-pqgr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2yb7-v3m7-3ffz |
|
| 1 |
| url |
VCID-2yxn-wffn-x7gr |
| vulnerability_id |
VCID-2yxn-wffn-x7gr |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's `SQLite3Parser`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-17197, GHSA-3448-vfvv-xp9g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2yxn-wffn-x7gr |
|
| 2 |
| url |
VCID-42ad-sh45-7fev |
| vulnerability_id |
VCID-42ad-sh45-7fev |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-28657, GHSA-567x-m4wm-87v8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-42ad-sh45-7fev |
|
| 3 |
|
| 4 |
| url |
VCID-7snd-ac5u-bydy |
| vulnerability_id |
VCID-7snd-ac5u-bydy |
| summary |
Deserialization of Untrusted Data
Apache Tika allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes `JMatIO` to do native deserialization. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.tika/tika-core@1.14 |
| purl |
pkg:maven/org.apache.tika/tika-core@1.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2yb7-v3m7-3ffz |
|
| 1 |
| vulnerability |
VCID-2yxn-wffn-x7gr |
|
| 2 |
| vulnerability |
VCID-42ad-sh45-7fev |
|
| 3 |
| vulnerability |
VCID-7d9k-ekje-fbe1 |
|
| 4 |
| vulnerability |
VCID-8qc9-3mxe-8ydp |
|
| 5 |
| vulnerability |
VCID-98bu-vqgb-x7a8 |
|
| 6 |
| vulnerability |
VCID-c7gc-egj2-2yb9 |
|
| 7 |
| vulnerability |
VCID-dc2n-xs2k-abbz |
|
| 8 |
| vulnerability |
VCID-j6j1-yp44-hqdt |
|
| 9 |
| vulnerability |
VCID-jyak-stwf-f3gw |
|
| 10 |
| vulnerability |
VCID-q319-5s6s-aqab |
|
| 11 |
| vulnerability |
VCID-r5jk-9f46-rygg |
|
| 12 |
| vulnerability |
VCID-uj1b-pk9r-ryhz |
|
| 13 |
| vulnerability |
VCID-uyg4-mswu-s3f5 |
|
| 14 |
| vulnerability |
VCID-x3y9-rbfc-47b8 |
|
| 15 |
| vulnerability |
VCID-zj8z-ja31-mkcr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@1.14 |
|
|
| aliases |
CVE-2016-6809, GHSA-j8g6-2wh7-6439
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7snd-ac5u-bydy |
|
| 5 |
| url |
VCID-8qc9-3mxe-8ydp |
| vulnerability_id |
VCID-8qc9-3mxe-8ydp |
| summary |
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-33879, GHSA-6q8v-2hvm-fx37
|
| risk_score |
1.5 |
| exploitability |
0.5 |
| weighted_severity |
3.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8qc9-3mxe-8ydp |
|
| 6 |
| url |
VCID-98bu-vqgb-x7a8 |
| vulnerability_id |
VCID-98bu-vqgb-x7a8 |
| summary |
Improper Restriction of XML External Entity Reference
In Apache Tika, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a DoS. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-11761, GHSA-6jq2-789q-fff2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-98bu-vqgb-x7a8 |
|
| 7 |
| url |
VCID-b19y-wyyt-4ff9 |
| vulnerability_id |
VCID-b19y-wyyt-4ff9 |
| summary |
Improper Restriction of XML External Entity Reference
Apache Tika does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.tika/tika-core@1.13 |
| purl |
pkg:maven/org.apache.tika/tika-core@1.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2yb7-v3m7-3ffz |
|
| 1 |
| vulnerability |
VCID-2yxn-wffn-x7gr |
|
| 2 |
| vulnerability |
VCID-42ad-sh45-7fev |
|
| 3 |
| vulnerability |
VCID-7d9k-ekje-fbe1 |
|
| 4 |
| vulnerability |
VCID-7snd-ac5u-bydy |
|
| 5 |
| vulnerability |
VCID-8qc9-3mxe-8ydp |
|
| 6 |
| vulnerability |
VCID-98bu-vqgb-x7a8 |
|
| 7 |
| vulnerability |
VCID-c7gc-egj2-2yb9 |
|
| 8 |
| vulnerability |
VCID-dc2n-xs2k-abbz |
|
| 9 |
| vulnerability |
VCID-j6j1-yp44-hqdt |
|
| 10 |
| vulnerability |
VCID-jyak-stwf-f3gw |
|
| 11 |
| vulnerability |
VCID-q319-5s6s-aqab |
|
| 12 |
| vulnerability |
VCID-r5jk-9f46-rygg |
|
| 13 |
| vulnerability |
VCID-uj1b-pk9r-ryhz |
|
| 14 |
| vulnerability |
VCID-uyg4-mswu-s3f5 |
|
| 15 |
| vulnerability |
VCID-x3y9-rbfc-47b8 |
|
| 16 |
| vulnerability |
VCID-zj8z-ja31-mkcr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tika/tika-core@1.13 |
|
|
| aliases |
CVE-2016-4434, GHSA-4xr4-4c65-hj7f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b19y-wyyt-4ff9 |
|
| 8 |
| url |
VCID-c7gc-egj2-2yb9 |
| vulnerability_id |
VCID-c7gc-egj2-2yb9 |
| summary |
Improper Restriction of XML External Entity Reference
Tika reuses SAXParsers and calls `reset()` after each parse; the parser ignores entity expansion limits after the first parse. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-11796, GHSA-h8q5-g2cj-qr5h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c7gc-egj2-2yb9 |
|
| 9 |
|
| 10 |
| url |
VCID-j6j1-yp44-hqdt |
| vulnerability_id |
VCID-j6j1-yp44-hqdt |
| summary |
Path Traversal
In a rare edge case where a user does not specify an extract directory on the commandline (`--extract-dir=`) and the input file has an embedded file with an absolute path, tika-app would overwrite that file. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-11762, GHSA-w6g3-v46q-5p28
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j6j1-yp44-hqdt |
|
| 11 |
| url |
VCID-jyak-stwf-f3gw |
| vulnerability_id |
VCID-jyak-stwf-f3gw |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
In Apache Tikato, a carefully crafted file can trigger an infinite loop in the `IptcAnpaParser`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-8017, GHSA-j53j-gmr9-h8g3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jyak-stwf-f3gw |
|
| 12 |
| url |
VCID-r5jk-9f46-rygg |
| vulnerability_id |
VCID-r5jk-9f46-rygg |
| summary |
Stack buffer overflow
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a `StackOverflowError` in Apache Tika's `RecursiveParserWrapper`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-10094, GHSA-mm7m-xg4h-6m52
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r5jk-9f46-rygg |
|
| 13 |
| url |
VCID-uj1b-pk9r-ryhz |
| vulnerability_id |
VCID-uj1b-pk9r-ryhz |
| summary |
Loop with Unreachable Exit Condition (Infinite Loop)
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-1951, GHSA-3264-3fm9-fg44
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uj1b-pk9r-ryhz |
|
| 14 |
| url |
VCID-uyg4-mswu-s3f5 |
| vulnerability_id |
VCID-uyg4-mswu-s3f5 |
| summary |
Code Injection
From Apache Tika, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-1335, GHSA-9r24-gp44-h3pm
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uyg4-mswu-s3f5 |
|
| 15 |
|
| 16 |
|