Description
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Scores
CVSS v3
5.5
EPSS
0.0039
EPSS Percentile
60.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (12)
apache/tika
1.24
oracle/communications_messaging_server
8.1
oracle/flexcube_private_banking
12.0.0
oracle/flexcube_private_banking
12.1.0
oracle/primavera_unifier
16.1
oracle/primavera_unifier
16.2
oracle/primavera_unifier
18.8
oracle/primavera_unifier
19.12
oracle/primavera_unifier
17.7 - 17.12
oracle/webcenter_portal
12.2.1.3.0
... and 2 more
Published
Apr 27, 2020
Tracked Since
Feb 18, 2026