Miggo Logo

CVE-2020-1951: Infinite Loop in Apache Tika

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.63323%
Published
5/7/2021
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tika:tikamaven>= 1.0, <= 1.231.24

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2020-1951 explicitly mentions PSDParser as the affected component, with an infinite loop caused by malformed PSD files. The CWE-835 classification indicates a loop with an unreachable exit condition. While the exact code isn't shown, the PSDParser's parse method is the entry point for processing PSD files and would logically contain the loop structure responsible for iterating through file segments. The fix in version 1.24 likely added validation checks for loop termination conditions when reading file metadata.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **r**ully *r**t** or *orrupt PS* *il* **n **us* *n in*init* loop in *p**** Tik*'s PS*P*rs*r in v*rsions *.*-*.**.

Reasoning

T** vuln*r**ility *V*-****-**** *xpli*itly m*ntions `PS*P*rs*r` *s t** *****t** *ompon*nt, wit* *n in*init* loop **us** *y m*l*orm** `PS*` *il*s. T** `*W*-***` *l*ssi*i**tion in*i**t*s * loop wit* *n unr******l* *xit *on*ition. W*il* t** *x**t *o** i