CVE-2016-4434

Published on: 09/29/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:58 PM UTC

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Certain versions of Tika from Apache contain the following vulnerability:

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

  • CVE-2016-4434 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 6.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
[CVE-2016-4434] Apache Tika XML External Entity vulnerability Mailing List
Vendor Advisory
mail-archives.apache.org
text/xml
URL Logo MLIST [tika-dev] 20160526 [CVE-2016-4434] Apache Tika XML External Entity vulnerability
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:0248
SecurityFocus www.securityfocus.com
text/html
URL Logo BUGTRAQ 20160526 [CVE-2016-4434] Apache Tika XML External Entity vulnerability
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:0272
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:0249
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheTika1.12AllAllAll
ApplicationApacheTika1.12AllAllAll
  • cpe:2.3:a:apache:tika:1.12:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:tika:1.12:*:*:*:*:*:*:*: