Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

Related Vulnerabilities

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-spring

CVE-2019-1003005 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2018-20433 Vulnerability in maven package c3p0:c3p0

CVE-2023-27905 Vulnerability in maven package org.jenkins-ci:update-center2

CVE-2021-39232 Vulnerability in maven package org.apache.ozone:ozone-main

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory