CVE-2022-33879 – Incomplete fix and new regex DoS in StandardsExtractingContentHandler
https://notcve.org/view.php?id=CVE-2022-33879
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. Las correcciones iniciales en CVE-2022-30126 y CVE-2022-30973 para regexes en el StandardsExtractingContentHandler fueron insuficientes, y encontramos un nuevo DoS regex separado en un regex diferente en el StandardsExtractingContentHandler. Estos han sido ahora corregidos en versiones 1.28.4 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh https://security.netapp.com/advisory/ntap-20220812-0004 •
CVE-2022-30126 – Apache Tika Regular Expression Denial of Service in Standards Extractor
https://notcve.org/view.php?id=CVE-2022-30126
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 En Apache Tika, una expresión regular en nuestra clase StandardsText, usada por el StandardsExtractingContentHandler podría conllevar a una denegación de servicio causada por el backtracking en un archivo especialmente diseñado. Esto sólo afecta a usuarios que ejecutan StandardsExtractingContentHandler, que es un manejador no estándar. Esto ha sido corregido en versiones 1.28.2 y 2.4.0 • http://www.openwall.com/lists/oss-security/2022/05/16/3 http://www.openwall.com/lists/oss-security/2022/05/31/2 http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4 https://security.netapp.com/advisory/ntap-20220624-0004 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-30126 https://bugzilla.redhat.com/show_bug.cgi?id=2088523 • CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-25169 – Apache Tika BPGParser Memory Usage DoS
https://notcve.org/view.php?id=CVE-2022-25169
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. El analizador BPG en Apache Tika versiones anteriores a 1.28.2 y 2.4.0, puede asignar una cantidad de memoria no razonable en archivos cuidadosamente diseñados • http://www.openwall.com/lists/oss-security/2022/05/16/4 https://lists.apache.org/thread/t3tb51sf0k2pmbnzsrrrm23z9r1c10rk https://security.netapp.com/advisory/ntap-20220804-0004 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-770: Allocation of Resources Without Limits or Throttling •