CVE-2022-25169 – org.apache.tika:tika

Package

Manager: maven
Name: org.apache.tika:tika
Vulnerable Version: >=0 <1.28.2 || >=2.0.0 <2.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00067 pctl0.21216

Details

Apache Tika vulnerable to uncontrolled memory consumption The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

Metadata

Created: 2022-05-17T00:00:36Z
Modified: 2022-08-11T13:21:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7qcq-xp2f-56f6/GHSA-7qcq-xp2f-56f6.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: GHSA-7qcq-xp2f-56f6
Finding: F067
Auto approve: 1