CVE-2020-1951
First published: Mon Mar 23 2020(Updated: )
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tika | >=1.0<=1.23 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Communications Messaging Server | =8.0.2 | |
| Oracle Communications Messaging Server | =8.1 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Debian Debian Linux | =8.0 | |
| ubuntu/tika | <1.5-4ubuntu0.1 | 1.5-4ubuntu0.1 |
| debian/tika | 1.22-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html
- https://usn.ubuntu.com/4564-1/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://launchpad.net/bugs/cve/CVE-2020-1951
- https://www.openwall.com/lists/oss-security/2020/03/18/4
- https://github.com/apache/tika/commit/ab8a9ed830ec710a32e4ffdf4989aea3aaea92ef
- https://security-tracker.debian.org/tracker/CVE-2020-1951
- https://ubuntu.com/security/notices/USN-4564-1
- https://www.cve.org/CVERecord?id=CVE-2020-1951
- https://nvd.nist.gov/vuln/detail/CVE-2020-1951
- https://ubuntu.com/security/CVE-2020-1951
Frequently Asked Questions
What is CVE-2020-1951?
CVE-2020-1951 is a vulnerability in Apache Tika's PSDParser that can be triggered by a carefully crafted or corrupt PSD file, leading to an infinite loop.
How severe is CVE-2020-1951?
CVE-2020-1951 has a severity rating of 5.5 (medium) on the CVSS scale.
Which software versions are affected by CVE-2020-1951?
Apache Tika versions 1.0-1.23 are affected by CVE-2020-1951. Additionally, Oracle Business Process Management Suite versions 12.2.1.3.0 and 12.2.1.4.0, Oracle Communications Messaging Server versions 8.0.2 and 8.1, and Oracle FLEXCUBE Private Banking versions 12.0.0 and 12.1.0 are also affected.
How can CVE-2020-1951 be exploited?
CVE-2020-1951 can be exploited by using a carefully crafted or corrupt PSD file as input to Apache Tika's PSDParser.
Are there any remedies available for CVE-2020-1951?
For Apache Tika, upgrading to version 1.22-2 or later is recommended. For other affected software, please refer to the respective vendors' advisories for available patches or updates.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/tags
- agent/event
- vendor/apache
- canonical/apache tika
- version/apache tika/1.0
- version/apache tika/1.23
- vendor/oracle
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.0.2
- version/oracle communications messaging server/8.1
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- package-manager/debian
- package-manager/ubuntu