CVE-2016-4434

CWE-611 — XML External Entity (XXE)10 documents8 sources

Severity

7.8HIGH

EPSS

0.4%

top 38.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tika

Timeline

PublishedSep 30

Latest updateOct 17

Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.tika:tika-core< 1.13

▶NVDapache/tika1.12

▶Debiantika< 1.18-1

🔴Vulnerability Details

OSV

Apache Tika does not properly initialize the XML parser or choose handlers↗2018-10-17

▶

GHSA

Apache Tika does not properly initialize the XML parser or choose handlers↗2018-10-17

▶

OSV

CVE-2016-4434: Apache Tika before 1↗2017-09-30

▶

CVEList

CVE-2016-4434: Apache Tika before 1↗2017-09-29

▶

📋Vendor Advisories

Red Hat

tika: XML External Entity vulnerability↗2016-05-26

▶

Debian

CVE-2016-4434: tika - Apache Tika before 1.13 does not properly initialize the XML parser or choose ha...↗2016

▶

Apache

Apache tika: CVE-2016-4434↗

▶

💬Community

Bugzilla

CVE-2016-4434 tika: XML External Entity vulnerability [fedora-all]↗2016-05-27

▶

Bugzilla

CVE-2016-4434 tika: XML External Entity vulnerability↗2016-05-27

▶