CVE-2016-6809

CRITICAL

Apache Tika < 1.13 - Insecure Deserialization

Title source: rule

Description

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Exploits (1)

nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-6809-tika-vulnerable

References (8)

Scores

CVSS v3 9.8
EPSS 0.0705
EPSS Percentile 91.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status draft

Affected Products (3)

apache/tika < 1.13
apache/nutch
org.apache.tika/tika-core < 1.14Maven

Timeline

Published Apr 06, 2017
Tracked Since Feb 18, 2026