A carefully crafted or corrupt file may trigger an infinite loop in Tikas MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.
Weakness
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tika | Apache | * | 1.25 (including) |
| Tika | Ubuntu | bionic | * |
| Tika | Ubuntu | focal | * |
| Tika | Ubuntu | groovy | * |
| Tika | Ubuntu | hirsute | * |
| Tika | Ubuntu | impish | * |
| Tika | Ubuntu | kinetic | * |
| Tika | Ubuntu | lunar | * |
| Tika | Ubuntu | mantic | * |
| Tika | Ubuntu | oracular | * |
| Tika | Ubuntu | plucky | * |
| Tika | Ubuntu | trusty | * |
| Tika | Ubuntu | xenial | * |
References
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210507-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E
- https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae9673374dfd7744b5a%40%3Cdev.tika.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210507-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html