[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2016-4434] Apache Tika XML External Entity vulnerability
From:       Tim Allison <tallison () apache ! org>
Date:       2016-05-26 15:55:35
Message-ID: 1705136517.1175366.1464278135251.JavaMail.yahoo () mail ! yahoo ! com
[Download RAW message or body]

CVE-2016-4434: Apache Tika XML External Entity vulnerability

Severity: Important


Vendor: 
The Apache Software Foundation

Versions Affected: 
Apache Tika 0.10 to 1.12

Description: 
Apache Tika parses XML within numerous file formats.  In some instances[1], the initialization \
ofthe XML parser or the choice of handlers did not protect against XML External Entity (XXE) \
vulnerabilities.  According to www.owasp.org [2]: "This attack may lead to the disclosure of \
confidential data, denial of service, server side request forgery, port scanning from the \
perspective of the machine where the parser is located, and other system impacts." 


Mitigation: 
Upgrade to Apache Tika 1.13.

Credit: 
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi Kim, Mesut Timur,and \
Microsoft Vulnerability Research.

[1] Spreadsheets in OOXML files and XMP in PDF and other file formats.
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing


[prev in list] [next in list] [prev in thread] [next in thread]