[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in StandardsExtractingC
From: Tim Allison <tallison () apache ! org>
Date: 2022-06-27 20:30:57
Message-ID: 98a8ea54-34b2-8826-b198-19d5a1acbbf6 () apache ! org
[Download RAW message or body]
Severity: low
Description:
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the =
StandardsExtractingContentHandler were insufficient, and we found a =
separate, new regex DoS in a different regex in the =
StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.=
Credit:
This incomplete fix was discovered and reported by the CodeQL team member =
[@atorralba (Tony Torralba)](https://github.com/atorralba) and [@jarlob =
(Jaroslav Loba=C4=8Devski)](https://github.com/jarlob) from Github Security=
Lab. The new ReDos was discovered by the Apache Tika team.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic