Apache Tika up to 1.28.1/2.3.x StandardsText incorrect regex

Summaryinfo

A vulnerability has been found in Apache Tika up to 1.28.1/2.3.x and classified as critical. Affected is the function StandardsText. The manipulation leads to incorrect regex. This vulnerability is traded as CVE-2022-30126. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Apache Tika up to 1.28.1/2.3.x. It has been rated as problematic. This issue affects the function StandardsText. The manipulation with an unknown input leads to a incorrect regex vulnerability. Using CWE to declare the problem leads to CWE-185. The product specifies a regular expression in a way that causes data to be improperly matched or compared. Impacted is availability.

The weakness was shared 05/17/2022. It is possible to read the advisory at lists.apache.org. The identification of this vulnerability is CVE-2022-30126 since 05/03/2022. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 237252 (Ubuntu 20.04 LTS / 22.04 LTS : Apache Tika vulnerabilities (USN-7529-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 1.28.2 or 2.4.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (237252). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Apache

Name

• Tika

Version

• 1.28.0
• 1.28.1
• 2.0
• 2.1
• 2.2
• 2.3

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion