GHSA-4xr4-4c65-hj7f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4xr4-4c65-hj7f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4xr4-4c65-hj7f/GHSA-4xr4-4c65-hj7f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4xr4-4c65-hj7f
- Aliases
- Published
- 2018-10-17T15:44:22Z
- Modified
- 2023-11-08T03:58:28.747587Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Apache Tika does not properly initialize the XML parser or choose handlers
- Details
-
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T20:59:46Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-611" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-4434
- https://github.com/advisories/GHSA-4xr4-4c65-hj7f
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E
- http://rhn.redhat.com/errata/RHSA-2017-0248.html
- http://rhn.redhat.com/errata/RHSA-2017-0249.html
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.securityfocus.com/archive/1/538500/100/0/threaded
Affected packages
Maven / org.apache.tika:tika-core
Package
- Name
- org.apache.tika:tika-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tika/tika-core