CVE-2021-28657

CWE-835 CWE-400 — Uncontrolled Resource Consumption10 documents8 sources

Severity

5.5MEDIUM

EPSS

0.2%

top 55.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tika Apache Tika Oracle Primavera Unifier +3 more

Timeline

PublishedMar 31

Latest updateApr 15

Description

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶Mavenorg.apache.tika:tika< 1.26

▶CVEListV5apache_software_foundation/apache_tikaApache Tika — 1.26

▶NVDapache/tika1.25

▶NVDoracle/primavera_unifier17.7 — 17.12+3

▶NVDoracle/webcenter_portal12.2.1.3.0, 12.2.1.4.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Infinite loop in Apache Tika↗2021-05-10

▶

GHSA

Infinite loop in Apache Tika↗2021-05-10

▶

CVEList

Infinite loop in Apache Tika's MP3 parser↗2021-03-31

▶

OSV

CVE-2021-28657: A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1↗2021-03-31

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (Apache Tika) — CVE-2021-28657↗2022-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Monitoring (Apache Tika) — CVE-2021-28657↗2021-10-15

▶

Red Hat

tika-parsers: Infinite loop in MP3Parser↗2021-03-30

▶

Debian

CVE-2021-28657: tika - A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Pa...↗2021

▶

Apache

Apache tika: CVE-2021-28657↗

▶