Download
| Alert*
|
oval:org.secpod.oval:def:704516
libtika-java is installed oval:org.secpod.oval:def:1900507 Apache libtika-java before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity attacks via vectors involving spreadsheets in OOXML files and XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175 ... oval:org.secpod.oval:def:1900684 In Apache Tika 1.19 , we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. ... |
