CVE-2020-9489

MEDIUM

Description

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

References

https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.james.apache.org%3E

Details

Source: MITRE

Published: 2020-04-27

Updated: 2021-05-02

Type: CWE-401

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tika:1.24:*:*:*:*:*:*:*

Tenable Plugins

View all (2 total)

IDNameProductFamilySeverity
148925Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2021 CPU)NessusMisc.
medium
141641Oracle Primavera Unifier (Oct 2020 CPU)NessusCGI abuses
medium