[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-30973: Apache Tika: Missing fix for CVE-2022-30126 in 1.28.2
From:       Tim Allison <tallison () apache ! org>
Date:       2022-05-31 13:04:24
Message-ID: ef0d3598-74a5-7981-af98-c05407457f68 () apache ! org
[Download RAW message or body]

Description:

We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28=
.2 release.  In Apache Tika, a regular expression in the StandardsText =
class, used by the StandardsExtractingContentHandler could lead to a denial=
 of service caused by backtracking on a specially crafted file. This only =
affects users who are running the StandardsExtractingContentHandler, which =
is a non-standard handler.  This is fixed in 1.28.3.

Mitigation:

Avoid using the StandardsExtractingContentHandler or upgrade to Tika 1.28.3=
 or 2.4.0

Credit:

This issue was reported by Cathy Hu, SUSE Software Solutions Germany GmbH.

[prev in list] [next in list] [prev in thread] [next in thread]