A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10088
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsA carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
Publish Date: 2019-08-02
URL: CVE-2019-10088
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088
Release Date: 2019-08-02
Fix Resolution: 1.22
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-10094
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsA carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
Publish Date: 2019-08-02
URL: CVE-2019-10094
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093
Release Date: 2019-08-02
Fix Resolution: 1.22
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2018-17197
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsA carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
Publish Date: 2018-12-24
URL: CVE-2018-17197
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197
Release Date: 2018-12-24
Fix Resolution: 1.20
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-30973
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsWe failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
Publish Date: 2022-05-31
URL: CVE-2022-30973
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30973
Release Date: 2022-05-31
Fix Resolution: 1.28.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-30126
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsIn Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0
Publish Date: 2022-05-16
URL: CVE-2022-30126
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30126
Release Date: 2022-05-16
Fix Resolution: 1.28.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-33879
### Vulnerable Library - tika-core-1.8.jarThis is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy: - :x: **tika-core-1.8.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsThe initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.
Publish Date: 2022-06-27
URL: CVE-2022-33879
### CVSS 3 Score Details (3.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33879
Release Date: 2022-06-27
Fix Resolution: 1.28.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.