Michael Moritz created TIKA-3051:
------------------------------------
Summary: Buffer Overflow in com.drewnoakes:metadata-extractor
2.11.0
Key: TIKA-3051
URL: https://issues.apache.org/jira/browse/TIKA-3051
Project: Tika
Issue Type: Bug
Affects Versions: 1.23
Reporter: Michael Moritz
This issue has been created automatically by a source code scanner
## Third party component with known security vulnerabilities
ent-search-master/script/vendor_jars > Jars.lock >
com.drewnoakes:[email protected]
## Overview
[com.drewnoakes:metadata-extractor](https://github.com/drewnoakes/metadata-extractor)
is a Java library for reading metadata from image files.
Affected versions of this package are vulnerable to Buffer Overflow.
Extraction of light source metadata data from an invalid/corrupt image file can
lead to an infinite loop recursion within `PanasonicRawWbInfo2` descriptor
class, resulting in stack consumption.
## Remediation
Upgrade `com.drewnoakes:metadata-extractor` to version v2.13.0 or higher.
## References
- [GitHub Commit
Java](https://github.com/drewnoakes/metadata-extractor/pull/420/commits/11cfd54eba77b1164721ca6276a42986ba054fea)
- [GitHub Commit
.NET](https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190/commits/3142e5e6a95f2760ace1d2fdd9d50a97eb1c0e23)
- [GitHub PR Java](https://github.com/drewnoakes/metadata-extractor/pull/420)
- [GitHub PR
.NET](https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190)
-
[SNYK-JAVA-COMDREWNOAKES-455419](https://snyk.io/vuln/SNYK-JAVA-COMDREWNOAKES-455419)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
