Aman Mishra created TIKA-3664:
---------------------------------
Summary: [8.6] [CVE-2022-23437] [xercesImpl] [2.12.1]
Key: TIKA-3664
URL: https://issues.apache.org/jira/browse/TIKA-3664
Project: Tika
Issue Type: Bug
Affects Versions: 2.1.0
Reporter: Aman Mishra
tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jarĀ
tika-bundle-standard is using xercesImpl-2.12.1.jar, which seems to be
vulnerable. Please check.
*Description :*
*Severity :* Sonatype CVSS 3: 8.6CVE CVSS 2.0: 0.0
*Weakness :* Sonatype CWE: 611
*Source :* National Vulnerability Database
*Categories :* Data
*Description from CVE :* There XML parser when handling specially crafted XML
document payloads. This causes, the XercesJ XML parser to wait in an infinite
loop, which may sometimes consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1 and the previous
versions.
*Explanation :* This issue has undergone the Sonatype Fast-Track process. For
more information, please see the Sonatype Knowledge Base Guide.
*Root Cause :* xercesImpl-2.12.1.jar : [ ,2.12.2]
*Advisories :* Project:
[http://www.openwall.com/lists/oss-security/2022/01/24/3]
*CVSS Details :* Sonatype CVSS 3: 8.6CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
*Occurences (Paths) :* ["/tika-bundle-standard-2.1.0.jar/xercesImpl-2.12.1.jar"]
*CVE :* CVE-2022-23437
*URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437]
*Remediation :* This component does not have any non-vulnerable Version. Please
contact the vendor to get this vulnerability fixed.
*First Scan Date :* Wed Jan 26 02:49:18 IST 2022
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
