snowflake-jdbc icon indicating copy to clipboard operation
snowflake-jdbc copied to clipboard

Published 20 hours ago verified publisher icon snowflakedb

tika-core-2.4.0.jar: 1 vulnerabilities (highest severity is: 3.3)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - tika-core-2.4.0.jar

This is the core Apache Tika? toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: https://tika.apache.org/

Path to dependency file: /public_pom.xml

Path to vulnerable library: /sitory/org/apache/tika/tika-core/2.4.0/tika-core-2.4.0.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-33879 Low 3.3 tika-core-2.4.0.jar Direct org.apache.tika:tika-core:1.28.4,2.4.1

Details

CVE-2022-33879

Vulnerable Library - tika-core-2.4.0.jar

This is the core Apache Tika? toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: https://tika.apache.org/

Path to dependency file: /public_pom.xml

Path to vulnerable library: /sitory/org/apache/tika/tika-core/2.4.0/tika-core-2.4.0.jar

Dependency Hierarchy:

  • :x: tika-core-2.4.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

Publish Date: 2022-06-27

URL: CVE-2022-33879

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33879

Release Date: 2022-06-27

Fix Resolution: org.apache.tika:tika-core:1.28.4,2.4.1

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] avatar Jul 18 '22 07:07 mend-for-github-com[bot]