Description

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Remediation

References

https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E

https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E

https://security.netapp.com/advisory/ntap-20210507-0004/

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Related Vulnerabilities

CVE-2021-3757 Vulnerability in npm package immer

CVE-2020-7013 Vulnerability in npm package kibana

CVE-2022-36901 Vulnerability in maven package org.jenkins-ci.plugins:http_request

CVE-2021-33900 Vulnerability in maven package org.apache.directory.studio:org.apache.directory.studio.parent

CVE-2021-23266 Vulnerability in maven package org.craftercms:crafter-engine

Severity

Medium

Classification

CWE-835 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Tags

Mailing List Vendor Advisory Third Party Advisory Patch