Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

http://www.securityfocus.com/archive/1/538500/100/0/threaded

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E

Related Vulnerabilities

CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2021-3754 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2022-23302 Vulnerability in maven package log4j:log4j

CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm

CVE-2022-45401 Vulnerability in maven package org.jenkinsci.plugins:associated-files

Severity

High

Classification

CWE-611 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory