Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-4434 |
CWE-ID | CWE-611 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Apache Tika Server applications / Other server solutions |
Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU38176
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-4434
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
MitigationInstall update from vendor's website.
Vulnerable software versionsApache Tika: 1.12
External linkshttp://rhn.redhat.com/errata/RHSA-2017-0248.html
http://rhn.redhat.com/errata/RHSA-2017-0249.html
http://rhn.redhat.com/errata/RHSA-2017-0272.html
http://www.securityfocus.com/archive/1/538500/100/0/threaded
http://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
http://mail-archives.apache.org/mod_mbox/tika-dev/201605.mbox/%3C1705136517.1175366.1464278135251.JavaMail.yahoo%40mail.yahoo.com%3E
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.