CVE-2016-4434

Опубликовано: 26 мая 2016

Источник: redhat

CVSS3: 5.4

CVSS2: 5.8

EPSS Низкий

Описание

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat BPM Suite 6	tika-core	Affected
Red Hat JBoss BRMS 5	tika-core	Will not fix
Red Hat JBoss BRMS 6	tika-core	Affected
Red Hat JBoss Fuse Service Works 6	tika	Not affected
Red Hat JBoss Portal 6	tika-core	Will not fix
Red Hat Satellite 5	tika	Under investigation
Red Hat JBoss BPMS 6.4		Fixed	RHSA-2017:0249	02.02.2017
Red Hat JBoss BRMS 6.4		Fixed	RHSA-2017:0248	02.02.2017
Red Hat JBoss Data Virtualization 6.3	tika-core	Fixed	RHSA-2017:0272	14.02.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-611

https://bugzilla.redhat.com/show_bug.cgi?id=1340386tika: XML External Entity vulnerability

EPSS

Процентиль: 61%

0.00415

Низкий

5.4 Medium

CVSS3

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2016-4434

CVSS3: 7.8

ubuntu

больше 8 лет назад

CVE-2016-4434

CVSS3: 7.8

nvd

больше 8 лет назад

CVE-2016-4434

CVSS3: 7.8

debian

больше 8 лет назад

Apache Tika before 1.13 does not properly initialize the XML parser or ...

GHSA-4xr4-4c65-hj7f

CVSS3: 7.8

github

больше 7 лет назад

Apache Tika does not properly initialize the XML parser or choose handlers

EPSS

Процентиль: 61%

0.00415

Низкий

5.4 Medium

CVSS3

5.8 Medium

CVSS2