Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtPierre Ernst1337DAY-ID-26307
HistoryNov 11, 2016 - 12:00 a.m.

Apache Tika 1.13 Code Execution Vulnerability

2016-11-1100:00:00
Pierre Ernst
0day.today
40

0.04 Low

EPSS

Percentile

91.1%

JSON

Apache Tika wraps the jmatio parser to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. Versions 1.6 through 1.13 are affected.

CVE-2016-6809 a Arbitrary Code Execution Vulnerability in Apache Tikaas MATLAB Parser 

Severity: Important 

Vendor: The Apache Software Foundation 

Versions Affected: 1.6-1.13 

Description: Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files.  The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. 

Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14. 

Credit: Pierre Ernst of salesforce.com discovered this issue and contributed to the fix.

#  0day.today [2018-01-11]  #

Related

seebug 1
debiancve 1
osv 2
prion 1
redhatcve 1
ubuntucve 1
cve 1
github 1
openvas 1
nessus 1
fedora 1
ibm 1
impervablog 1
seebug
seebug
Apache Tika remote code execution vulnerability(CVE-2016-6809)
2016-11-22 00:00:00
debiancve
debiancve
CVE-2016-6809
2017-04-06 21:59:00
osv
osv
Apache Tika allows Java code execution for serialized objects embedded in MATLAB files
2018-10-17 15:44:36
CVE-2016-6809
2017-04-06 21:59:00
prion
prion
Deserialization of untrusted data
2017-04-06 21:59:00
redhatcve
redhatcve
CVE-2016-6809
2016-11-11 09:17:23
ubuntucve
ubuntucve
CVE-2016-6809
2017-04-06 00:00:00
cve
cve
CVE-2016-6809
2017-04-06 21:59:00
github
github
Apache Tika allows Java code execution for serialized objects embedded in MATLAB files
2018-10-17 15:44:36
openvas
openvas
Apache Tika Server Java Code Execution Vulnerability
2018-06-20 00:00:00
nessus
nessus
Fedora 28 : tika (2018-639385f5ec)
2019-01-03 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: tika-1.17-1.fc28
2018-04-27 23:09:00
ibm
ibm
Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities
2022-01-11 21:02:17
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08

0.04 Low

EPSS

Percentile

91.1%

JSON
Related for 1337DAY-ID-26307
seebug1debiancve1osv2prion1redhatcve1ubuntucve1cve1github1openvas1nessus1fedora1ibm1impervablog1