CVE-2020-9489 – org.apache.tika:tika

Package

Manager: maven
Name: org.apache.tika:tika
Vulnerable Version: >=0 <1.24.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0041 pctl0.60532

Details

Missing Release of Memory after Effective Lifetime in Apache Tika A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

Metadata

Created: 2021-05-07T15:53:40Z
Modified: 2022-10-07T20:41:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-4pv3-63jw-4jw2/GHSA-4pv3-63jw-4jw2.json
CWE IDs: ["CWE-401", "CWE-835"]
Alternative ID: GHSA-4pv3-63jw-4jw2
Finding: F067
Auto approve: 1