[
https://issues.apache.org/jira/browse/TIKA-3664?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Allison resolved TIKA-3664.
-------------------------------
Fix Version/s: 1.28.1
2.3.0
Assignee: Tim Allison
Resolution: Fixed
> [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]
> --------------------------------------------
>
> Key: TIKA-3664
> URL: https://issues.apache.org/jira/browse/TIKA-3664
> Project: Tika
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Aman Mishra
> Assignee: Tim Allison
> Priority: Major
> Fix For: 1.28.1, 2.3.0
>
>
> tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jarĀ
> tika-bundle-standard is using xercesImpl-2.12.1.jar, which seems to be
> vulnerable. Please check.
> *Description :*
> *Severity :* Sonatype CVSS 3: 8.6CVE CVSS 2.0: 0.0
> *Weakness :* Sonatype CWE: 611
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* There XML parser when handling specially crafted XML
> document payloads. This causes, the XercesJ XML parser to wait in an infinite
> loop, which may sometimes consume system resources for prolonged duration.
> This vulnerability is present within XercesJ version 2.12.1 and the previous
> versions.
> *Explanation :* This issue has undergone the Sonatype Fast-Track process. For
> more information, please see the Sonatype Knowledge Base Guide.
> *Root Cause :* xercesImpl-2.12.1.jar : [ ,2.12.2]
> *Advisories :* Project:
> [http://www.openwall.com/lists/oss-security/2022/01/24/3]
> *CVSS Details :* Sonatype CVSS 3: 8.6CVSS Vector:
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
> *Occurences (Paths) :*
> ["/tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jar"]
> *CVE :* CVE-2022-23437
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437]
> *Remediation :* This component does not have any non-vulnerable Version.
> Please contact the vendor to get this vulnerability fixed.
> *First Scan Date :* Wed Jan 26 02:49:18 IST 2022
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
