CVE-2022-33879

Incomplete fix and new regex DoS in StandardsExtractingContentHandler

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Las correcciones iniciales en CVE-2022-30126 y CVE-2022-30973 para regexes en el StandardsExtractingContentHandler fueron insuficientes, y encontramos un nuevo DoS regex separado en un regex diferente en el StandardsExtractingContentHandler. Estos han sido ahora corregidos en versiones 1.28.4 y 2.4.1

It was discovered that Apache Tika can have an excessive memory usage by using a crafted or corrupt PSD file. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. It was discovered that Apache Tika incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service.

*Credits: This incomplete fix was discovered and reported by the CodeQL team member [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@jarlob (Jaroslav Lobačevski)](https://github.com/jarlob) from Github Security Lab. The new ReDos was discovered by the Apache Tika team.

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-06-16 CVE Reserved
2022-06-27 CVE Published
2024-08-03 CVE Updated
2025-07-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/06/27/5	Mailing List
https://lists.apache.org/thread/wfno8mf5nlcvbs78z93q9thgrm30wwfh	Mailing List
https://security.netapp.com/advisory/ntap-20220812-0004	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tika Search vendor "Apache" for product "Tika"				< 1.28.4 Search vendor "Apache" for product "Tika" and version " < 1.28.4"		-		Affected
Apache Search vendor "Apache"		Tika Search vendor "Apache" for product "Tika"				>= 2.0.0 < 2.4.1 Search vendor "Apache" for product "Tika" and version " >= 2.0.0 < 2.4.1"		-		Affected