tika-parsers-1.27.jar: 1 vulnerabilities (highest severity is: 5.5)

[mend-for-github-com[bot]]

Vulnerable Library - tika-parsers-1.27.jar

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (tika-parsers version)	Remediation Possible**	Reachability
CVE-2022-25169	Medium	5.5	tika-parsers-1.27.jar	Direct	1.28.2	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-25169

### Vulnerable Library - tika-parsers-1.27.jar

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy: - :x: **tika-parsers-1.27.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

Publish Date: 2022-05-16

URL: CVE-2022-25169

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25169

Release Date: 2022-05-16

Fix Resolution: 1.28.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.