CVE-2016-4434: Apache Tika does not properly initialize the XML parser or choose handlers
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60798%
CWE
Published
10/17/2018
Updated
1/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tika:tika-core | maven | < 1.13 | 1.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Tika's use of PDFBox's XMP metadata parser without proper XML security settings. The patch upgrades PDFBox to 1.8.11 which contains the XXE fix (CVE-2016-2175). The vulnerable code path exists in Tika's PDFParser.parse() method when handling PDF metadata extraction using the insecure PDFBox version. Runtime exploitation would show the PDFParser.parse() method in stack traces as it processes malicious XMP data through the vulnerable PDFBox library.