[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2016-4434] Apache Tika XML External Entity vulnerability
From: Tim Allison <tallison () apache ! org>
Date: 2016-05-26 15:55:35
Message-ID: 1705136517.1175366.1464278135251.JavaMail.yahoo () mail ! yahoo ! com
[Download RAW message or body]
CVE-2016-4434: Apache Tika XML External Entity vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.10 to 1.12
Description:
Apache Tika parses XML within numerous file formats. In some instances[1], the initialization \
ofthe XML parser or the choice of handlers did not protect against XML External Entity (XXE) \
vulnerabilities. According to www.owasp.org [2]: "This attack may lead to the disclosure of \
confidential data, denial of service, server side request forgery, port scanning from the \
perspective of the machine where the parser is located, and other system impacts."
Mitigation:
Upgrade to Apache Tika 1.13.
Credit:
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim, Mesut Timur,and \
Microsoft Vulnerability Research.
[1] Spreadsheets in OOXML files and XMP in PDF and other file formats.
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic