org.apache.tika:tika-core@1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tika:tika-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to incomplete fix of CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.apache.tika:tika-core to version 1.28.4, 2.4.1 or higher.

[,1.28.4) [2.0.0-ALPHA,2.4.1)
  • M
Regular Expression Denial of Service (ReDoS)

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the StandardsText class, used by the StandardsExtractingContentHandler. This is due to an incomplete fix for CVE-2022-30126.

Note: This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.apache.tika:tika-core to version 1.28.3 or higher.

[,1.28.3)
  • M
Regular Expression Denial of Service (ReDoS)

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via a specially crafted file, when being parsed by the StandardsText class, which is used by StandardsExtractingContentHandler.

Note: This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.apache.tika:tika-core to version 1.28.3, 2.4.0 or higher.

[,1.28.3) [2.0.0-ALPHA,2.4.0)
  • M
XML External Entity (XXE) Injection

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection attacks. Under certain circumstances, the entity expansion limit might be removed during XML parsing.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.tika:tika-core to version 1.19.1 or higher.

[0.4,1.19.1)
  • H
XML External Entity (XXE) Injection

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The XML parsers were not configured to limit entity expansion.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.tika:tika-core to version 1.19 or higher.

[1.0,1.19)
  • C
Arbitrary Command Injection

org.apache.tika:tika-core is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Affected versions of this package are vulnerable to Arbitrary Command Injection. Clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running to the tika-server.

How to fix Arbitrary Command Injection?

Upgrade org.apache.tika:tika-core to version 1.18 or higher.

[,1.18)