CVE-2021-28657 – Infinite loop in Apache Tika's MP3 parser
https://notcve.org/view.php?id=CVE-2021-28657
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. Un archivo cuidadosamente diseñado o corrupto puede desencadenar un bucle infinito en MP3Parser de Tika versiones hasta Tika 1.25 incluyéndola. Los usuarios de Apache Tika deben actualizar a versión 1.26 o posterior. • https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E https://security.netapp.com/advisory/ntap-20210507-0004 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2020-9489 – tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers
https://notcve.org/view.php?id=CVE-2020-9489
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. • https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5a07186cfa2442c%40%3Cdev.tika.apache.org%3E https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-9489 https://bugzilla.redhat.com/show_bug.cgi?id=1850042 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2020-1951
https://notcve.org/view.php?id=CVE-2020-1951
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23. Un archivo PSD cuidadosamente diseñado o corrupto puede causar un bucle infinito en PSDParser de Apache Tika en versiones 1.0-1.23. • https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html https://usn.ubuntu.com/4564-1 https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2020-1950 – tika: excessive memory usage in PSDParser
https://notcve.org/view.php?id=CVE-2020-1950
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23. Un archivo PSD cuidadosamente diseñado o corrupto puede causar un uso de memoria excesivo en el PSDParser de Apache Tika en versiones 1.0-1.23. A flaw was found in Apache Tika’s PSDParser, where a carefully crafted or corrupt PSD file can cause excessive memory usage. The highest threat from this vulnerability is to system availability. • https://lists.apache.org/thread.html/r463b1a67817ae55fe022536edd6db34e8f9636971188430cbcf8a8dd%40%3Cdev.tika.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/03/msg00035.html https://usn.ubuntu.com/4564-1 https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-1950 https://bugzilla.redhat.com/show_bug.cgi?id=1822759 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-10088
https://notcve.org/view.php?id=CVE-2019-10088
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later. Un archivo zip cuidadosamente diseñado o dañado puede causar un OOM en RecursiveParserWrapper de Tika de Apache en las versiones 1.7 hasta 1.21. Los usuarios deben actualizar a la versión 1.22 o posterior. • https://lists.apache.org/thread.html/1c63555609b737c20d1bbfa4a3e73ec488e3408a84e2f5e47e1b7e08%40%3Cdev.tika.apache.org%3E https://lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d%40%3Cdev.tika.apache.org%3E https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94%40%3Cdev.tika.apache.org%3E https://lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d%40%3Cdev.tika.apache.org%3E https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-use • CWE-770: Allocation of Resources Without Limits or Throttling •