Arbitrary Code Execution Affecting org.apache.tika:tika-parsers package, versions [1.6,1.14)


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 4.02% (92nd percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
7.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHETIKA-30817
  • published 14 Nov 2016
  • disclosed 14 Nov 2016
  • credit Pierre Ernst

Overview

org.apache.tika:tika-parsers Affected versions of the package are vulnerable to Arbitrary Code Execution. Apache Tika wraps the jmatio parser to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

References