Miggo Logo

CVE-2016-4434: Apache Tika does not properly initialize the XML parser or choose handlers

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.60798%
Published
10/17/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tika:tika-coremaven< 1.131.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Tika's use of PDFBox's XMP metadata parser without proper XML security settings. The patch upgrades PDFBox to 1.8.11 which contains the XXE fix (CVE-2016-2175). The vulnerable code path exists in Tika's PDFParser.parse() method when handling PDF metadata extraction using the insecure PDFBox version. Runtime exploitation would show the PDFParser.parse() method in stack traces as it processes malicious XMP data through the vulnerable PDFBox library.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tik* ***or* *.** *o*s not prop*rly initi*liz* t** XML p*rs*r or **oos* **n*l*rs, w*i** mi**t *llow r*mot* *tt**k*rs to *on*u*t XML *xt*rn*l *ntity (XX*) *tt**ks vi* v**tors involvin* (*) spr***s***ts in OOXML *il*s *n* (*) XMP m*t***t* in P**

Reasoning

T** vuln*r**ility st*ms *rom Tik*'s us* o* P***ox's XMP m*t***t* p*rs*r wit*out prop*r XML s**urity s*ttin*s. T** p*t** up*r***s P***ox to *.*.** w*i** *ont*ins t** XX* *ix (*V*-****-****). T** vuln*r**l* *o** p*t* *xists in Tik*'s P**P*rs*r.p*rs*()