XML External Entity Vulnerability in Apache Tika Affecting Numerous File Formats
CVE-2016-4434

7.8HIGH

Key Information:

Vendor
Apache
Status
Tika
Vendor
CVE Published:
30 September 2017

Summary

Apache Tika versions prior to 1.13 are susceptible to an XML External Entity (XXE) vulnerability due to improper initialization of the XML parser and selection of handlers. This flaw could be exploited by remote attackers to execute malicious XML entity attacks through specially crafted OOXML spreadsheets or embedded XMP metadata in various file formats such as PDF. These attacks can potentially lead to the unauthorized exposure of sensitive data or denial of service.

References

http://www.securityfocus.com/archive/1/538500/100/0/threaded
mailing-listx_refsource_BUGTRAQ
https://mail-archives.apache.org/mod_mbox/tika-dev/201605...
mailing-listx_refsource_MLIST
http://rhn.redhat.com/errata/RHSA-2017-0272.html
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.