org.apache.tika:tika is vulnerable to regular expression denial of service (ReDoS) attacks. An attacker is able to cause denial of service conditions to the users who are running the StandardsExtractingContentHandler
component, due to an insecure regular expression usage in setThreshold
function by backtracking on a specially crafted file. This resolves incomplete fixes for CVE-2022-30126
and CVE-2022-30973
.
CPE | Name | Operator | Version |
---|---|---|---|
apache tika core | le | 2.4.0 | |
apache tika core | le | 1.28.3 | |
apache tika core | le | 2.4.0 | |
apache tika core | le | 1.28.3 |
www.openwall.com/lists/oss-security/2022/06/27/5
github.com/apache/tika/commit/22f763a3f14f9a47e46212a74b2a5d4339de6ab5
github.com/apache/tika/commit/3f0078639e9b15de7f5f8293df9222fdc1505fe0
lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh
sca.analysiscenter.veracode.com/vulnerability-database/security/denial-of-service-dos-/java/sid-35567
sca.analysiscenter.veracode.com/vulnerability-database/security/regular-expression-denial-of-service-redos-/java/sid-35785
security.netapp.com/advisory/ntap-20220812-0004/
www.openwall.com/lists/oss-security/2022/06/27/5