Security
The following is an incomplete list of known and fixed Critical Vulnerabilities and Exposures (CVEs) and other vulnerabilities in Apache Tika or its dependencies. Please help us fill this in with more details.
| CVE or Vulnerability | Description | Reporter | Affected Versions |
| CVE-2018-1339 | Infinite loop in ChmParser | Tobias Ospelt | ?-1.17 |
| CVE-2018-1338 | Infinite loop in BPGParser | Tobias Ospelt | ?-1.17 |
| CVE-2018-1335 | Command Execution in tika-server | Tim Allison | ?-1.17 |
| CVE-2017-12626 | Apache POI - Infinite loops in WMF, EMF, MSG and macros; OOMs in DOC, PPT and XLS | Tim Allison, Luís Filipe Nassif and Jerome Lacoste | ?-1.17 |
| CVE-2018-1324 and COMPRESS-432 | Commons Compress - Infinite loop in ZipFile | Luís Filipe Nassif and Anton Abashkin | ?-1.17 |
| CVE-2018-7489 and TIKA-2634 | Jackson - Deserialization vulnerability | Richard Cyganiak (notified Tika team) | ?-1.17 |
| TIKA-2115 | Apache POI - OOM parsing OLE object | Thomas Galla | ?-1.15 |
| COMPRESS-382 | Commons Compress - OOM detecting corrupt LZMA | Luís Filipe Nassif | ?-1.15 |
| COMPRESS-386 and TIKA-1631 | Commons Compress - OOM detecting corrupt x-compress | Pavel Micka | ?-1.15 |
| TIKA-1866 and TIKA-954 | Apache POI - OOM in DOCX and PPTX because of bug in Piccolo parser | Rob Tulloh and Shawn Johnson | ?-1.13 |
| TIKA-2040 | GC-Overload and OOM in CHMParser | Luís Filipe Nassif | ?-1.13 |
| CVE-2016-6809 | jmatio - Deserialization Vulnerability in MATLAB parser | Pierre Ernst | 1.6-1.13 |
| CVE-2016-4434 | XXE Vulnerability in several parsers | Arthur Khashaev, Seulgi Kim, Mesut Timur | 0.10-1.12 |
| CVE-2015-3271 | Remote Access to host files via tika-server | Tim Allison | 1.9?-1.10 |
| TIKA-788 | Infinite Loop in DWG | Stas Shaposhnikov | ?-1.4? |
| TIKA-1132 | Apache POI - Nearly Infinite Loop in XLS | Ryan Krueger | ?-1.4 |
| TIKA-1179 | Infinite Loop in corrupt MP3 | Marius Dumitru Florea | ?-1.4 |
| TIKA-866 | OOM reading Tika config file | Stephan Mühlstrasser | ?-1.1 |
Acronyms and Terms
- Command Execution -- a malicious client could call anything on tika-server's commandline
- Deserialization Vulnerability- OWASP's Cheat Sheet. A malicious actor could run arbitrary code on your computer.
- OOM - Out of Memory Exception - for example, if a parser doesn't do a sanity check, a 4 byte file could cause a parser to allocate 2GB of memory See: TIKA-1631
- XXE - XML External Entity Processing A malicious client could access data on your system.
