U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:apache:tika:0.6
There are 11 matching records.
Displaying matches 1 through 11.
Vuln ID Summary CVSS Severity
CVE-2022-33879

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Published: June 27, 2022; 6:15:09 PM -0400
V3.1: 3.3 LOW
V2.0: 2.6 LOW
CVE-2022-30973

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.

Published: May 31, 2022; 10:15:07 AM -0400
V3.1: 5.5 MEDIUM
V2.0: 2.6 LOW
CVE-2022-30126

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

Published: May 16, 2022; 1:15:09 PM -0400
V3.1: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2022-25169

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

Published: May 16, 2022; 1:15:09 PM -0400
V3.1: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-28657

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Published: March 31, 2021; 4:15:11 AM -0400
V3.1: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-11796

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Published: October 09, 2018; 6:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-11761

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

Published: September 19, 2018; 10:29:00 AM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-1339

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Published: April 25, 2018; 5:29:00 PM -0400
V3.0: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-1338

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Published: April 25, 2018; 5:29:00 PM -0400
V3.0: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-1335

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Published: April 25, 2018; 5:29:00 PM -0400
V3.0: 8.1 HIGH
V2.0: 9.3 HIGH
CVE-2016-6809

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Published: April 06, 2017; 5:59:00 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH