CVE-2016-4434: XEE
First published: Fri May 27 2016(Updated: )
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tika | <1.13 | 1.13 |
| Apache Tika | =1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2016/q2/413
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1340387
- https://rhn.redhat.com/errata/RHSA-2017-0249.html
- https://rhn.redhat.com/errata/RHSA-2017-0248.html
- https://rhn.redhat.com/errata/RHSA-2017-0272.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1340386
- http://rhn.redhat.com/errata/RHSA-2017-0248.html
- http://rhn.redhat.com/errata/RHSA-2017-0249.html
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.securityfocus.com/archive/1/538500/100/0/threaded
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2016-4434?
CVE-2016-4434 has a high severity score due to the potential for remote XML External Entity (XXE) attacks.
How do I fix CVE-2016-4434?
To fix CVE-2016-4434, upgrade Apache Tika to version 1.13 or later.
What is the exploit type associated with CVE-2016-4434?
CVE-2016-4434 is associated with XML External Entity (XXE) attacks.
Which versions of Apache Tika are affected by CVE-2016-4434?
Apache Tika versions prior to 1.13, including 1.12, are affected by CVE-2016-4434.
What could be the impact of exploiting CVE-2016-4434?
Exploiting CVE-2016-4434 may allow attackers to access sensitive data or potentially execute arbitrary commands on the server.
- collector/redhat-bugzilla
- alias/CVE-2016-4434
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/last-modified-date
- agent/tags
- agent/description
- agent/author
- agent/event
- agent/source
- package-manager/redhat
- vendor/apache
- canonical/apache tika
- version/apache tika/1.12