Apache Tika vulnerabilities

CVE-2018-1339 [MEDIUM] CWE-835 CVE-2018-1339: A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in vers A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

CVE-2018-1338 [MEDIUM] CWE-835 CVE-2018-1338: A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in vers A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

CVE-2016-4434 [HIGH] CVE-2016-4434: Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

CVE-2016-6809 [CRITICAL] CWE-502 CVE-2016-6809: Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

CVE-2015-3271 [MEDIUM] CWE-200 CVE-2015-3271: Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitra Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.