CVE-2016-4434: XEE
First published: Fri May 27 2016(Updated: )
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tika | <1.13 | 1.13 |
| Apache Tika | =1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2016/q2/413
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1340387
- https://rhn.redhat.com/errata/RHSA-2017-0249.html
- https://rhn.redhat.com/errata/RHSA-2017-0248.html
- https://rhn.redhat.com/errata/RHSA-2017-0272.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1340386
- http://rhn.redhat.com/errata/RHSA-2017-0248.html
- http://rhn.redhat.com/errata/RHSA-2017-0249.html
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.securityfocus.com/archive/1/538500/100/0/threaded
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- collector/redhat-bugzilla
- alias/CVE-2016-4434
- collector/nvd-index
- agent/type
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/apache
- canonical/apache tika
- version/apache tika/1.12