Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03cWNxLXhwMmYtNTZmNs4AAX6E
Apache Tika vulnerable to uncontrolled memory consumption
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.
Permalink: https://github.com/advisories/GHSA-7qcq-xp2f-56f6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03cWNxLXhwMmYtNTZmNs4AAX6E
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-7qcq-xp2f-56f6, CVE-2022-25169
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25169
- https://lists.apache.org/thread/t3tb51sf0k2pmbnzsrrrm23z9r1c10rk
- http://www.openwall.com/lists/oss-security/2022/05/16/4
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220804-0004/
- https://github.com/advisories/GHSA-7qcq-xp2f-56f6
Affected Packages
maven:org.apache.tika:tika
Dependent packages: 1Dependent repositories: 56
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.4.0, < 1.28.2
Fixed in: 2.4.0, 1.28.2
All affected versions: 1.19.1, 1.24.1, 1.28.1, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0
All unaffected versions: 1.28.2, 1.28.3, 1.28.4, 1.28.5, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.9.2