Bug 2088523 (CVE-2022-30126) - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor
Summary: CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards e...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2088524
TreeView+ depends on / blocked
 
Reported: 2022-05-19 15:45 UTC by Marian Rehak
Modified: 2022-07-07 21:38 UTC (History)
44 users (show)

Fixed In Version: tika-core 1.28.2, tika-core 2.4.0
Clone Of:
Environment:
Last Closed: 2022-07-07 21:38:20 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:23:33 UTC

Description Marian Rehak 2022-05-19 15:45:48 UTC 
In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

Reference:

http://www.openwall.com/lists/oss-security/2022/05/16/3
Comment 2 errata-xmlrpc 2022-07-07 14:23:29 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 3 Product Security DevOps Team 2022-07-07 21:38:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30126
Note You need to log in before you can comment on or make changes to this bug.