CVE-2020-9489 Information

Description

A carefully crafted or corrupt file may trigger a System.exit in Tika’s OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika’s ICNSParser MP3Parser MP4Parser SAS7BDATParser OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Reference

https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c403Cdev.tika.apache.org3E https://www.oracle.com/security-alerts/cpuoct2020.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5