CVE-2016-4434 – org.apache.tika:tika-core

Package

Manager: maven
Name: org.apache.tika:tika-core
Vulnerable Version: >=0 <1.13

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00415 pctl0.6082

Details

Apache Tika does not properly initialize the XML parser or choose handlers Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Metadata

Created: 2018-10-17T15:44:22Z
Modified: 2022-04-26T21:46:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4xr4-4c65-hj7f/GHSA-4xr4-4c65-hj7f.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-4xr4-4c65-hj7f
Finding: F083
Auto approve: 1