oss-sec mailing list archives

CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in StandardsExtractingContentHandler

From: Tim Allison <tallison () apache org>
Date: Mon, 27 Jun 2022 20:30:57 +0000

Severity: low

Description:

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were 
insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. 
These are now fixed in 1.28.4 and 2.4.1.

Credit:

This incomplete fix was discovered and reported by the CodeQL team member [@atorralba (Tony 
Torralba)](https://github.com/atorralba) and [@jarlob (Jaroslav Lobačevski)](https://github.com/jarlob) from Github 
Security Lab.  The new ReDos was discovered by the Apache Tika team.

Current thread:

CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in StandardsExtractingContentHandler Tim Allison (Jun 27)