Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. Versions Affected: 1.6-1.13 Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14 Public via: http://seclists.org/bugtraq/2016/Nov/40 Upstream patch: https://github.com/apache/tika/commit/8a68b5d474205cc9
Created tika tracking bugs for this issue: Affects: fedora-all [bug 1394157]