CVE-2022-30973

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.

References

Affected packages

Git / github.com/apache/tika

Affected ranges

Type

GIT

Repo

https://github.com/apache/tika

Events

Introduced

Fixed

79d724c3efef0242d41ef22ec8dab00c58d96a3a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.28.3"
        }
    ]
}

Affected versions

0.*

0.1-incubating

0.10

0.2

0.2-rc1

0.2-rc2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.*

1.0

1.1

1.10

1.10-rc1

1.11

1.11-rc1

1.12

1.12-rc1

1.13

1.13-rc1

1.14

1.14-rc1

1.15

1.15-rc1

1.16

1.17

1.18

1.18-rc1

1.18-rc2

1.19

1.19.1

1.19.1-rc1

1.2

1.20

1.21

1.22

1.23

1.23-rc1

1.24

1.24.1

1.25

1.26

1.27

1.28

1.28.1

1.28.2

1.3

1.4

1.4-rc2

1.5

1.5-rc1

1.5-rc2

1.6

1.6-rc2

1.7

1.7-rc1

1.7-rc2

1.7-rc3

1.8

1.8-rc1

1.8-rc2

1.9-rc1

1.9-rc2

2.*

2.0.0

2.0.0-ALPHA

2.0.0-BETA

2.1.0

2.2.0

2.2.1

2.3.0

2.4.0

2.4.1

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.0-BETA

3.0.0-BETA2

3.1.0

3.2.0

3.2.1

3.2.2

3.2.3

3.3.0

tika-1.*

tika-1.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-30973.json"