CVE-2020-9489

CWE-835CWE-401Memory Leak11 documents9 sources
Severity
5.5MEDIUM
EPSS
0.4%
top 39.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Oracle Primavera UnifierTHE Apache Software Foundation Apache TikaApache Tika+3 more
Timeline
PublishedApr 27
Latest updateMay 7

Description

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reason

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

Mavenorg.apache.tika:tika< 1.24.1
NVDapache/tika1.24
NVDoracle/primavera_unifier17.717.12+4
NVDoracle/webcenter_portal12.2.1.3.0, 12.2.1.4.0+1

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Missing Release of Memory after Effective Lifetime in Apache Tika2021-05-07
OSV
Missing Release of Memory after Effective Lifetime in Apache Tika2021-05-07
OSV
CVE-2020-9489: A carefully crafted or corrupt file may trigger a System2020-04-27
CVEList
CVE-2020-9489: A carefully crafted or corrupt file may trigger a System2020-04-27

📋Vendor Advisories

5
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Financial Planning (Apache Tika) — CVE-2020-94892021-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Apache Tika) — CVE-2020-94892020-10-15
Red Hat
tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers2020-04-24
Debian
CVE-2020-9489: tika - A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote ...2020
Apache
Apache tika: CVE-2020-9489

💬Community

1
Bugzilla
CVE-2020-9489 tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers2020-06-23
CVE-2020-9489 (MEDIUM CVSS 5.5) | A carefully crafted or corrupt file | cvebase.io