CVE-2016-4434: Apache Tika XML External Entity vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.10 to 1.12
Description:
Apache Tika parses XML within numerous file formats. In some instances[1], the
initialization ofthe XML parser or
not be available on all mirrors.
When downloading
from a mirror site, please remember to verify the downloads using
signatures found on the
Apache site:
https://people.apache.org/keys/group/tika.asc
For more information on Apache Tika, visit the project home page:
http://tika.apache.org/
-- Tim
://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
ich accept content from external or
untrusted sources are advised to upgrade to Apache POI 3.17 or newer.
-Tim Allison
on behalf of the Apache POI PMC
[0] https://bz.apache.org/bugzilla/show_bug.cgi?id=61338
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61294
[2] https://bz.apache.org/bugzi
CVE-2018-1339 – DoS (Infinite Loop) Vulnerability in Apache Tika’s ChmParser
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: <1.18
Description: A carefully crafted (or fuzzed) file can trigger an infinite
loop in Apache Tika's ChmParser.
Mitigation: Turn off t
CVE-2018-1338 – DoS (Infinite Loop) Vulnerability in Apache Tika’s BPGParser
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: <1.18
Description: A carefully crafted (or fuzzed) file can trigger an infinite
loop in Apache Tika's BPGParser.
Mitigation: Turn off the
.
Credit: Tim Allison, a member of the Apache Tika team, discovered this.
.
When downloading from a mirror site, please remember to verify the
downloads using
signatures found on the Apache site: http://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
http://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika
CVE-2018-11761: Apache Tika Denial of Service via XML Entity Expansion
Vulnerability
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.1 to 1.18
Description:
Apache Tika's XML parsers were not configured to limit entity expansion.
They were therefore vulne
input file has an embedded file
with an absolute path, such as "C:/evil.bat", tika-app would overwrite
that file.
Mitigation:
Apache Tika users should upgrade to 1.19 or later
Credit:
This issue was discovered by Tim Allison on the Apache Tika team.
CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
Potential Infinite Loop in IptcAnpaParser
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 1.2 to 1.18
Description:
A carefully crafted file can trigger an infinite loop in Apache Tika's
IptcAnpa
mirror site, please remember to verify the
downloads using signatures found on the Apache site:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
http://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
on all mirrors.
When downloading from a mirror site, please remember to verify the
downloads using signatures found on the Apache site:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of
CVE-2018-11796: Apache Tika Denial of Service via XML Entity Expansion
Vulnerability
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.1 to 1.19
Description:
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion
limit for XML parsing. However
mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
ika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
Mitigation:
Apache Tika users should upgrade to 1.20 or later.
Credit:
This issue was discovered by Tim Allison on the Apache Tika Team.
mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Title: [CVE-2019-10088] OOM from a crafted Zip File in Apache Tika's
RecursiveParserWrapper
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: Apache Tika 1.7 to 1.21
Description:
A carefully crafted or corrupt zip file can cause an OOM in Apache
Tika's RecursiveParserW
pool and lead to very long hangs.
Mitigation:
Apache Tika users should upgrade to 1.22 or later.
Credit:
This issue was discovered by Tim Allison on the Apache Tika team.
ipped/uncompressed yields the same file (a quine), causes a
StackOverflowError in Apache Tika's RecursiveParserWrapper in versions
1.7-1.21 of Apache Tika.
Mitigation:
Apache Tika users should upgrade to 1.22 or later.
Credit:
This issue was discovered by Tim Allison on the Apache Tika
mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Title: [CVE-2020-1950] Excessive memory usage (DoS) vulnerability in Apache
Tika's PSDParser
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: Apache Tika 1.0 to 1.23
Description:
A carefully crafted or corrupt PSD file can cause excessive memory usage in
Apache
Tika's
DParser in versions 1.0-1.23.
Mitigation:
Apache Tika users should upgrade to 1.24 or later.
Credit:
This issue was discovered by Tim Allison on the Apache Tika team.
from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
.
Credit:
These vulnerabilities were discovered by Tim Allison on the Apache Tika
team.
a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
downloading from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Description:
A carefully crafted or corrupt file may trigger an infinite loop in
Tika's MP3Parser up to and including Tika 1.25. Apache Tika users
should upgrade to 1.26 or later.
Mitigation:
Users should upgrade to 1.26 or later.
Credit:
Apache Tika would like to thank Khaled Nassar for repor
mirrors.
When downloading from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
downloading from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
downloading from a mirror site, please remember to verify the
downloads using signatures found:
https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
://repo1.maven.org/maven2/org/apache/tika/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika
The Apache Tika Project Team would like to inform you that the Apache Tika
1.x branch is now in security-only maintenance until September 30, 2022.
After that date, we will not make updates or releases from our 1.x branch.
We will continue to make security fixes and security-related
dependency upgr
://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Repository:
https://repo1.maven.org/maven2/org/apache/tika/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of
Severity: low
Description:
A regular expression in our StandardsText class, used by the
StandardsExtractingContentHandler could lead to a denial of service caused by
backtracking on a specially crafted file. This only affects users who are
running the StandardsExtractingContentHandler, which i
Description:
The BPG parser in versions of Tika before 1.28.2 and 2.4.0 may allocate an
unreasonable amount of memory on carefully crafted files.
://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Description:
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2
release. In Apache Tika, a regular expression in the StandardsText class, used
by the StandardsExtractingContentHandler could lead to a denial of service
caused by backtracking on a specially crafted fil
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Severity: low
Description:
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the
StandardsExtractingContentHandler were insufficient, and we found a
separate, new regex DoS in a different regex in the
StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1
(
/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
/
-- Tim Allison, on behalf of the Apache Tika community
, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
ted CVEs: CVE-2023-6481/CVE-2023-6378.
NOTE: This release requires Java 11. We plan to support the
2.x branch (which requires Java 8) for six months after the
release of 3.0.0.
-- Tim Allison, on behalf of the Apache Tika community
, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
0.0.
-- Tim Allison, on behalf of the Apache Tika community
60 matches
Mail list logo