Miggo Logo
Miggo Vulnerability Database
CVE-2020-1950

CVE-2020-1950: Uncontrolled Resource Consumption in Apache Tika

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1950
GHSA ID
GHSA-3h29-52vh-pqgr
EPSS Score
0.72277%
CWE
CWE-400
Published
5/7/2021
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tika:tikamaven>= 1.0, <= 1.231.24

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2020-1950) explicitly affects Apache Tika's PSDParser in versions 1.0-1.23. The CWE-400 classification indicates uncontrolled resource consumption, typically caused by parsing logic that fails to validate input-driven memory allocation. The PSDParser's parse() method is the entry point for processing PSD files and would handle layer/data structure parsing. Without bounds checking on values like layer counts or image dimensions extracted from the file header, a malicious PSD could specify abnormally large values leading to memory exhaustion. The patch in version 1.24 likely added validation checks in this critical parsing pathway.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **r**ully *r**t** or *orrupt PS* *il* **n **us* *x**ssiv* m*mory us*** in *p**** Tik*'s PS*P*rs*r in v*rsions *.*-*.**.

Reasoning

T** vuln*r**ility (*V*-****-****) *xpli*itly *****ts *p**** Tik*'s `PS*P*rs*r` in v*rsions *.*-*.**. T** *W*-*** *l*ssi*i**tion in*i**t*s un*ontroll** r*sour** *onsumption, typi**lly **us** *y p*rsin* lo*i* t**t **ils to `v*li**t*` input-*riv*n m*mor