Apache Tika Vulnerabilities CVE-2022-25169 and CVE-2022-30126

Issue date: 29-06-2022
Affects versions: 15.0, 14.7, 13.4

Security Issue ID

SECURITY-329

Affected Product Version(s)

15.0.0, 14.7.6, 13.4.17, and all previous versions

Severity

low

Description

CVE-2022-25169, CVE-2022-30126

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

These functions are not used by brXM in its default configuration, but they could be enabled by customizations within project code. This is unlikely, and the risk is mitigated by the fact that uploads of vulnerable payloads are likely possible only by trusted content editors.

Instructions

Update to the latest version.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Apache Tika Vulnerabilities CVE-2022-25169 and CVE-2022-30126