Incomplete fix and new regex DoS in StandardsExtractingContentHandler
CVE-2022-33879

3.3LOW

Key Information:

Vendor: Apache
Status: Apache Tika
Vendor: CVE Published:; 27 June 2022

Summary

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Affected Version(s)

Apache Tika Apache Tika < 2.4.1

References

https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgr...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/06/27/5

mailing-listx_refsource_MLIST

https://security.netapp.com/advisory/ntap-20220812-0004/

x_refsource_CONFIRM

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 27, 2022
Vulnerability Reserved
Jun 16, 2022

Credit

This incomplete fix was discovered and reported by the CodeQL team member [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@jarlob (Jaroslav Lobačevski)](https://github.com/jarlob) from Github Security Lab. The new ReDos was discovered by the Apache Tika team.