Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nutch | Apache | 2.3.1 (including) | 2.3.1 (including) |
Tika | Apache | * | 1.13 (including) |
Tika | Ubuntu | upstream | * |