[jira] [Resolved] (TIKA-2956) Stack Overflow issue reported on metadata-extractor used version by Tika

Mon, 24 Feb 2020 08:34:02 -0800 


     [ 
https://issues.apache.org/jira/browse/TIKA-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tim Allison resolved TIKA-2956.
-------------------------------
    Resolution: Duplicate

Will  be fixed in 1.24

> Stack Overflow issue reported on metadata-extractor used version by Tika
> ------------------------------------------------------------------------
>
>                 Key: TIKA-2956
>                 URL: https://issues.apache.org/jira/browse/TIKA-2956
>             Project: Tika
>          Issue Type: Bug
>          Components: app
>    Affects Versions: 1.22
>            Reporter: Sachin
>            Priority: Critical
>
> Nexus Sonatype has reported Security issue with metadata-extractor version 
> used by Tika
> *Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5
> *Weakness :* CVE CWE: 400
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* MetadataExtractor 2.1.0 allows stack consumption.
> *Explanation :* The MetadataExtractor package is vulnerable to a Denial of 
> Service [DoS] attack. The GetWbTypeDescription[] function in the 
> PanasonicRawWbInfo2Descriptor.cs and PanasonicRawWbInfoDescriptor.cs files 
> fails to prevent infinite recursion when processing malformed light source 
> information from PanasonicRawWbInfo metadata. A remote attacker can exploit 
> this vulnerability by submitting PanasonicRawWbInfo metadata containing light 
> source information that exploits this issue. This will cause the application 
> to consume a large amount of available resources, ultimately resulting in a 
> DoS condition.
> *Detection :* The application is vulnerable by using this component.
> *Recommendation :* There is no non-vulnerable version of this component. We 
> recommend investigating alternative components or potential mitigating 
> control.
> *Root Cause :* 
> tika-app-1.22.jarcom/drew/metadata/exif/PanasonicRawDistortionDescriptor.class
>  : [2.10.0 , ]
> *Advisories :* Project: 
> [https://github.com/drewnoakes/metadata-extractor/issues/419]
> *CVSS Details :* CVE CVSS 3.0: 7.5CVSS Vector: 
> CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to