CVE-2022-33879 – Incomplete fix and new regex DoS in StandardsExtractingContentHandler
https://notcve.org/view.php?id=CVE-2022-33879
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. Las correcciones iniciales en CVE-2022-30126 y CVE-2022-30973 para regexes en el StandardsExtractingContentHandler fueron insuficientes, y encontramos un nuevo DoS regex separado en un regex diferente en el StandardsExtractingContentHandler. Estos han sido ahora corregidos en versiones 1.28.4 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh https://security.netapp.com/advisory/ntap-20220812-0004 •
CVE-2022-30973 – Missing fix for CVE-2022-30126 in 1.28.2
https://notcve.org/view.php?id=CVE-2022-30973
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. No hemos aplicado la corrección de CVE-2022-30126 a la rama 1.x en la versión 1.28.2. • http://www.openwall.com/lists/oss-security/2022/05/31/2 http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p https://security.netapp.com/advisory/ntap-20220722-0004 https://access.redhat.com/security/cve/CVE-2022-30973 https://bugzilla.redhat.com/show_bug.cgi?id=2099553 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-30126 – Apache Tika Regular Expression Denial of Service in Standards Extractor
https://notcve.org/view.php?id=CVE-2022-30126
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 En Apache Tika, una expresión regular en nuestra clase StandardsText, usada por el StandardsExtractingContentHandler podría conllevar a una denegación de servicio causada por el backtracking en un archivo especialmente diseñado. Esto sólo afecta a usuarios que ejecutan StandardsExtractingContentHandler, que es un manejador no estándar. Esto ha sido corregido en versiones 1.28.2 y 2.4.0 • http://www.openwall.com/lists/oss-security/2022/05/16/3 http://www.openwall.com/lists/oss-security/2022/05/31/2 http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4 https://security.netapp.com/advisory/ntap-20220624-0004 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-30126 https://bugzilla.redhat.com/show_bug.cgi?id=2088523 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-25169 – Apache Tika BPGParser Memory Usage DoS
https://notcve.org/view.php?id=CVE-2022-25169
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. El analizador BPG en Apache Tika versiones anteriores a 1.28.2 y 2.4.0, puede asignar una cantidad de memoria no razonable en archivos cuidadosamente diseñados • http://www.openwall.com/lists/oss-security/2022/05/16/4 https://lists.apache.org/thread/t3tb51sf0k2pmbnzsrrrm23z9r1c10rk https://security.netapp.com/advisory/ntap-20220804-0004 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-33813 – jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
https://notcve.org/view.php?id=CVE-2021-33813
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. Un problema de tipo XXE en SAXBuilder en JDOM versiones hasta 2.0.6, permite a atacantes causar una denegación de servicio por medio de una petición HTTP diseñada • https://alephsecurity.com/vulns/aleph-2021003 https://github.com/hunterhacker/jdom/pull/188 https://github.com/hunterhacker/jdom/releases https://lists.apache.org/thread.html/r21c406c7ed88fe340db7dbae75e58355159e6c324037c7d5547bf40b%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r5674106135bb1a6ef57483f4c63a9c44bca85d0e2a8a05895a8f1d89%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r6db397ae7281ead825338200d1f62d2827585a70797cc9ac0c4bd23f%40%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r845 • CWE-611: Improper Restriction of XML External Entity Reference •