Vulnerability Name: | CVE-2016-4434 (CCN-113511) | ||||||||||||||||||||||||||||||||||||
Assigned: | 2016-05-26 | ||||||||||||||||||||||||||||||||||||
Published: | 2016-05-26 | ||||||||||||||||||||||||||||||||||||
Updated: | 2018-10-09 | ||||||||||||||||||||||||||||||||||||
Summary: | Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | ||||||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-611 | ||||||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2016-4434 Source: CCN Type: RHSA-2017-0248 Moderate: Red Hat JBoss BRMS security update Source: REDHAT Type: UNKNOWN RHSA-2017:0248 Source: CCN Type: RHSA-2017-0249 Moderate: Red Hat JBoss BPM Suite security update Source: REDHAT Type: UNKNOWN RHSA-2017:0249 Source: CCN Type: RHSA-2017-0272 Moderate: Red Hat JBoss Data Virtualization security and bug fix update Source: REDHAT Type: UNKNOWN RHSA-2017:0272 Source: CCN Type: BugTraq Mailing List, Thu, 26 May 2016 15:55:35 +0000 (UTC) [CVE-2016-4434] Apache Tika XML External Entity vulnerability Source: BUGTRAQ Type: UNKNOWN 20160526 [CVE-2016-4434] Apache Tika XML External Entity vulnerability Source: XF Type: UNKNOWN apache-tika-cve20164434-info-disc(113511) Source: MLIST Type: UNKNOWN [lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report Source: MLIST Type: Mailing List, Vendor Advisory [tika-dev] 20160526 [CVE-2016-4434] Apache Tika XML External Entity vulnerability Source: CCN Type: Apache Web site Tika Source: CCN Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: WhiteSource Vulnerability Database CVE-2016-4434 | ||||||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
BACK |