Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4cjQtNGM2NS1oajdm
Apache Tika does not properly initialize the XML parser or choose handlers
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
Permalink: https://github.com/advisories/GHSA-4xr4-4c65-hj7fJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR4cjQtNGM2NS1oajdm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: over 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-4xr4-4c65-hj7f, CVE-2016-4434
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-4434
- https://github.com/advisories/GHSA-4xr4-4c65-hj7f
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E
- http://rhn.redhat.com/errata/RHSA-2017-0248.html
- http://rhn.redhat.com/errata/RHSA-2017-0249.html
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.securityfocus.com/archive/1/538500/100/0/threaded
Affected Packages
maven:org.apache.tika:tika-core
Dependent packages: 766Dependent repositories: 6,036
Downloads:
Affected Version Ranges: < 1.13
Fixed in: 1.13
All affected versions:
All unaffected versions: 1.19.1, 1.24.1, 1.28.1, 1.28.2, 1.28.3, 1.28.4, 1.28.5, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.9.2