CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-33879 – Incomplete fix and new regex DoS in StandardsExtractingContentHandler
https://notcve.org/view.php?id=CVE-2022-33879
The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. Las correcciones iniciales en CVE-2022-30126 y CVE-2022-30973 para regexes en el StandardsExtractingContentHandler fueron insuficientes, y encontramos un nuevo DoS regex separado en un regex diferente en el StandardsExtractingContentHandler. Estos han sido ahora corregidos en versiones 1.28.4 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh https://security.netapp.com/advisory/ntap-20220812-0004 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30973 – Missing fix for CVE-2022-30126 in 1.28.2
https://notcve.org/view.php?id=CVE-2022-30973
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3. No hemos aplicado la corrección de CVE-2022-30126 a la rama 1.x en la versión 1.28.2. • http://www.openwall.com/lists/oss-security/2022/05/31/2 http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p https://security.netapp.com/advisory/ntap-20220722-0004 https://access.redhat.com/security/cve/CVE-2022-30973 https://bugzilla.redhat.com/show_bug.cgi?id=2099553 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-30126 – Apache Tika Regular Expression Denial of Service in Standards Extractor
https://notcve.org/view.php?id=CVE-2022-30126
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0 En Apache Tika, una expresión regular en nuestra clase StandardsText, usada por el StandardsExtractingContentHandler podría conllevar a una denegación de servicio causada por el backtracking en un archivo especialmente diseñado. Esto sólo afecta a usuarios que ejecutan StandardsExtractingContentHandler, que es un manejador no estándar. Esto ha sido corregido en versiones 1.28.2 y 2.4.0 • http://www.openwall.com/lists/oss-security/2022/05/16/3 http://www.openwall.com/lists/oss-security/2022/05/31/2 http://www.openwall.com/lists/oss-security/2022/06/27/5 https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4 https://security.netapp.com/advisory/ntap-20220624-0004 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-30126 https://bugzilla.redhat.com/show_bug.cgi?id=2088523 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-25169 – Apache Tika BPGParser Memory Usage DoS
https://notcve.org/view.php?id=CVE-2022-25169
The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. El analizador BPG en Apache Tika versiones anteriores a 1.28.2 y 2.4.0, puede asignar una cantidad de memoria no razonable en archivos cuidadosamente diseñados • http://www.openwall.com/lists/oss-security/2022/05/16/4 https://lists.apache.org/thread/t3tb51sf0k2pmbnzsrrrm23z9r1c10rk https://security.netapp.com/advisory/ntap-20220804-0004 https://www.oracle.com/security-alerts/cpujul2022.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2021-28657 – Infinite loop in Apache Tika's MP3 parser
https://notcve.org/view.php?id=CVE-2021-28657
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. Un archivo cuidadosamente diseñado o corrupto puede desencadenar un bucle infinito en MP3Parser de Tika versiones hasta Tika 1.25 incluyéndola. Los usuarios de Apache Tika deben actualizar a versión 1.26 o posterior. • https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E https://security.netapp.com/advisory/ntap-20210507-0004 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpuoct2021.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •