CVE-2016-6809

CWE-502 — Deserialization of Untrusted Data10 documents8 sources

Severity

9.8CRITICAL

EPSS

7.0%

top 8.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tika Apache Nutch

Timeline

PublishedApr 6

Latest updateOct 17

Description

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Mavenorg.apache.tika:tika-core< 1.14

▶NVDapache/tika1.13

▶Debiantika< 1.18-1

▶NVDapache/nutch2.3.1

🔴Vulnerability Details

OSV

Apache Tika allows Java code execution for serialized objects embedded in MATLAB files↗2018-10-17

▶

GHSA

Apache Tika allows Java code execution for serialized objects embedded in MATLAB files↗2018-10-17

▶

CVEList

CVE-2016-6809: Apache Tika before 1↗2017-04-06

▶

OSV

CVE-2016-6809: Apache Tika before 1↗2017-04-06

▶

📋Vendor Advisories

Red Hat

tika: Native deserialization of Java objects in matlab files↗2016-11-10

▶

Debian

CVE-2016-6809: tika - Apache Tika before 1.14 allows Java code execution for serialized objects embedd...↗2016

▶

Apache

Apache tika: CVE-2016-6809↗

▶

💬Community

Bugzilla

CVE-2016-6809 tika: Native deserialization of Java objects in matlab files [fedora-all]↗2016-11-11

▶

Bugzilla

CVE-2016-6809 tika: Native deserialization of Java objects in matlab files↗2016-11-11

▶