Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

Related Vulnerabilities

CVE-2021-44791 Vulnerability in maven package org.apache.druid:druid

CVE-2022-23437 Vulnerability in maven package xerces:xercesimpl

CVE-2020-13943 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2021-41183 Vulnerability in maven package org.webjars.bower:jquery-ui

CVE-2021-21341 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory