tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sachin (Jira)" <j...@apache.org>
Subject [jira] [Created] (TIKA-2956) Stack Overflow issue reported on metadata-extractor used version by Tika
Date Fri, 04 Oct 2019 01:38:00 GMT
Sachin created TIKA-2956:
----------------------------

             Summary: Stack Overflow issue reported on metadata-extractor used version by
Tika
                 Key: TIKA-2956
                 URL: https://issues.apache.org/jira/browse/TIKA-2956
             Project: Tika
          Issue Type: Bug
          Components: app
    Affects Versions: 1.22
            Reporter: Sachin


Nexus Sonatype has reported Security issue with metadata-extractor version used by Tika

*Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5

*Weakness :* CVE CWE: 400

*Source :* National Vulnerability Database

*Categories :* Data

*Description from CVE :* MetadataExtractor 2.1.0 allows stack consumption.

*Explanation :* The MetadataExtractor package is vulnerable to a Denial of Service [DoS] attack.
The GetWbTypeDescription[] function in the PanasonicRawWbInfo2Descriptor.cs and PanasonicRawWbInfoDescriptor.cs
files fails to prevent infinite recursion when processing malformed light source information
from PanasonicRawWbInfo metadata. A remote attacker can exploit this vulnerability by submitting
PanasonicRawWbInfo metadata containing light source information that exploits this issue.
This will cause the application to consume a large amount of available resources, ultimately
resulting in a DoS condition.

*Detection :* The application is vulnerable by using this component.

*Recommendation :* There is no non-vulnerable version of this component. We recommend investigating
alternative components or potential mitigating control.

*Root Cause :* tika-app-1.22.jarcom/drew/metadata/exif/PanasonicRawDistortionDescriptor.class
: [2.10.0 , ]

*Advisories :* Project: [https://github.com/drewnoakes/metadata-extractor/issues/419]

*CVSS Details :* CVE CVSS 3.0: 7.5CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message