tika-parsers-1.18.jar: 88 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - tika-parsers-1.18.jar

Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.

Library home page: http://www.apache.org

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (tika-parsers version)	Remediation Possible**	Reachability
CVE-2022-46364	Critical	9.8	cxf-core-3.0.16.jar	Transitive	N/A*	❌
CVE-2022-22965	Critical	9.8	spring-beans-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2019-13990	Critical	9.8	quartz-2.2.0.jar	Transitive	N/A*	❌
CVE-2018-20433	Critical	9.8	c3p0-0.9.1.1.jar	Transitive	N/A*	❌
CVE-2024-28752	Critical	9.3	cxf-core-3.0.16.jar	Transitive	N/A*	❌
CVE-2021-23926	Critical	9.1	xmlbeans-2.6.0.jar	Transitive	N/A*	❌
CVE-2023-39913	High	8.8	uimaj-core-2.9.0.jar	Transitive	1.21	✅
WS-2019-0490	High	8.1	jcommander-1.35.jar	Transitive	N/A*	❌
CVE-2024-25710	High	8.1	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2018-8039	High	8.1	cxf-rt-transports-http-3.0.16.jar	Transitive	N/A*	❌
WS-2021-0419	High	7.7	gson-2.8.1.jar	Transitive	N/A*	❌
CVE-2022-25647	High	7.7	gson-2.8.1.jar	Transitive	N/A*	❌
CVE-2024-7254	High	7.5	protobuf-java-2.5.0.jar	Transitive	N/A*	❌
CVE-2024-30172	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2024-29857	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2022-46363	High	7.5	cxf-rt-transports-http-3.0.16.jar	Transitive	N/A*	❌
CVE-2022-3510	High	7.5	protobuf-java-2.5.0.jar	Transitive	N/A*	❌
CVE-2022-32287	High	7.5	uimaj-core-2.9.0.jar	Transitive	N/A*	❌
CVE-2022-23596	High	7.5	junrar-0.7.jar	Transitive	N/A*	❌
CVE-2021-37714	High	7.5	jsoup-1.11.2.jar	Transitive	1.28	✅
CVE-2021-36090	High	7.5	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2021-35517	High	7.5	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2021-35516	High	7.5	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2021-35515	High	7.5	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2021-33813	High	7.5	jdom2-2.0.6.jar	Transitive	N/A*	❌
CVE-2021-22569	High	7.5	protobuf-java-2.5.0.jar	Transitive	N/A*	❌
CVE-2019-5427	High	7.5	c3p0-0.9.1.1.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2019-14262	High	7.5	metadata-extractor-2.10.1.jar	Transitive	N/A*	❌
CVE-2019-12402	High	7.5	commons-compress-1.16.1.jar	Transitive	1.23	✅
CVE-2018-1000180	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2016-1000343	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2016-1000342	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2016-1000338	High	7.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2016-1000344	High	7.4	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
WS-2019-0379	Medium	6.5	commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2023-20863	Medium	6.5	spring-expression-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2023-20861	Medium	6.5	spring-expression-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2022-22950	Medium	6.5	spring-expression-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2019-12406	Medium	6.5	cxf-core-3.0.16.jar	Transitive	N/A*	❌
CVE-2019-10093	Medium	6.5	tika-parsers-1.18.jar	Direct	1.22	❌
CVE-2018-8036	Medium	6.5	fontbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2018-17197	Medium	6.5	tika-parsers-1.18.jar	Direct	1.20	❌
CVE-2017-15691	Medium	6.5	uimafit-core-2.2.0.jar	Transitive	N/A*	❌
CVE-2022-36033	Medium	6.1	jsoup-1.11.2.jar	Transitive	1.28	✅
CVE-2020-13954	Medium	6.1	cxf-rt-transports-http-3.0.16.jar	Transitive	1.25	✅
CVE-2019-17573	Medium	6.1	cxf-rt-transports-http-3.0.16.jar	Transitive	N/A*	❌
CVE-2025-41242	Medium	5.9	spring-beans-3.2.16.RELEASE.jar	Transitive	N/A*	❌
CVE-2025-23184	Medium	5.9	cxf-core-3.0.16.jar	Transitive	N/A*	❌
CVE-2024-30171	Medium	5.9	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2016-1000341	Medium	5.9	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2025-48795	Medium	5.6	cxf-core-3.0.16.jar	Transitive	N/A*	❌
CVE-2023-33202	Medium	5.5	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2023-2976	Medium	5.5	guava-17.0.jar	Transitive	N/A*	❌
CVE-2022-25169	Medium	5.5	tika-parsers-1.18.jar	Direct	1.28.2	❌
CVE-2022-24614	Medium	5.5	metadata-extractor-2.10.1.jar	Transitive	N/A*	❌
CVE-2022-24613	Medium	5.5	metadata-extractor-2.10.1.jar	Transitive	N/A*	❌
CVE-2021-31812	Medium	5.5	pdfbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2021-31811	Medium	5.5	pdfbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2021-28657	Medium	5.5	tika-parsers-1.18.jar	Direct	1.26	❌
CVE-2021-27906	Medium	5.5	pdfbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2021-27807	Medium	5.5	pdfbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2020-9489	Medium	5.5	tika-parsers-1.18.jar	Direct	1.24.1	❌
CVE-2020-1951	Medium	5.5	tika-parsers-1.18.jar	Direct	1.24	❌
CVE-2020-1950	Medium	5.5	tika-parsers-1.18.jar	Direct	1.24	❌
CVE-2018-8017	Medium	5.5	tika-parsers-1.18.jar	Direct	1.19	❌
CVE-2018-11797	Medium	5.5	pdfbox-2.0.9.jar	Transitive	N/A*	❌
CVE-2018-11771	Medium	5.5	commons-compress-1.16.1.jar	Transitive	N/A*	❌
CVE-2017-12624	Medium	5.5	detected in multiple dependencies	Transitive	N/A*	❌
WS-2021-0174	Medium	5.3	spring-beans-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2025-48924	Medium	5.3	commons-lang-2.6.jar	Transitive	N/A*	❌
CVE-2024-21742	Medium	5.3	apache-mime4j-core-0.8.1.jar	Transitive	N/A*	❌
CVE-2023-33201	Medium	5.3	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2022-22970	Medium	5.3	detected in multiple dependencies	Transitive	1.21	✅
CVE-2022-22968	Medium	5.3	spring-context-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2020-13956	Medium	5.3	httpclient-4.5.4.jar	Transitive	N/A*	❌
CVE-2018-1199	Medium	5.3	spring-core-3.2.16.RELEASE.jar	Transitive	1.21	✅
WS-2016-7112	Medium	4.9	spring-context-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2024-38808	Medium	4.3	spring-expression-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2022-3171	Medium	4.3	protobuf-java-2.5.0.jar	Transitive	N/A*	❌
CVE-2021-22096	Medium	4.3	spring-core-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2021-22060	Medium	4.3	spring-core-3.2.16.RELEASE.jar	Transitive	1.21	✅
CVE-2020-8908	Low	3.3	guava-17.0.jar	Transitive	N/A*	❌
CVE-2015-6644	Low	3.3	bcprov-jdk15on-1.54.jar	Transitive	N/A*	❌
CVE-2025-22233	Low	3.1	spring-context-3.2.16.RELEASE.jar	Transitive	N/A*	❌
CVE-2024-38820	Low	3.1	spring-context-3.2.16.RELEASE.jar	Transitive	1.21	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-46364

Vulnerable Library - cxf-core-3.0.16.jar

Apache CXF Core

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • cxf-rt-rs-client-3.0.16.jar
    • cxf-rt-transports-http-3.0.16.jar
      • ❌ cxf-core-3.0.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 

Publish Date: 2022-12-13

URL: CVE-2022-46364

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x3x3-qwjq-8gj4

Release Date: 2022-12-13

Fix Resolution: org.apache.cxf:cxf-core:3.4.10,3.5.5

CVE-2022-22965

Vulnerable Library - spring-beans-3.2.16.RELEASE.jar

Spring Beans

Library home page: http://springsource.org/spring-framework

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.2.16.RELEASE/spring-beans-3.2.16.RELEASE.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • uimafit-core-2.2.0.jar
    • spring-context-3.2.16.RELEASE.jar
      • spring-aop-3.2.16.RELEASE.jar
        • ❌ spring-beans-3.2.16.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.21

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-13990

Vulnerable Library - quartz-2.2.0.jar

Enterprise Job Scheduler

Library home page: http://www.terracotta.org

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.2.0/quartz-2.2.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • netcdf4-4.5.5.jar
    • cdm-4.5.5.jar
      • ❌ quartz-2.2.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Publish Date: 2019-07-26

URL: CVE-2019-13990

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-13990

Release Date: 2019-07-26

Fix Resolution: org.quartz-scheduler:quartz:2.3.2

CVE-2018-20433

Vulnerable Library - c3p0-0.9.1.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • netcdf4-4.5.5.jar
    • cdm-4.5.5.jar
      • quartz-2.2.0.jar
        • ❌ c3p0-0.9.1.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Publish Date: 2018-12-24

URL: CVE-2018-20433

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433

Release Date: 2018-12-24

Fix Resolution: 0.9.5.3

CVE-2024-28752

Vulnerable Library - cxf-core-3.0.16.jar

Apache CXF Core

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.0.16/cxf-core-3.0.16.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • cxf-rt-rs-client-3.0.16.jar
    • cxf-rt-transports-http-3.0.16.jar
      • ❌ cxf-core-3.0.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Publish Date: 2024-03-15

URL: CVE-2024-28752

CVSS 3 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt

Release Date: 2024-03-15

Fix Resolution: org.apache.cxf:cxf-rt-databinding-aegis:3.5.8,3.6.3,4.0.4

CVE-2021-23926

Vulnerable Library - xmlbeans-2.6.0.jar

XmlBeans main jar

Library home page: http://xmlbeans.apache.org

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • poi-ooxml-3.17.jar
    • poi-ooxml-schemas-3.17.jar
      • ❌ xmlbeans-2.6.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Publish Date: 2021-01-14

URL: CVE-2021-23926

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23926

Release Date: 2021-01-14

Fix Resolution: org.apache.xmlbeans:xmlbeans:3.0.0

CVE-2023-39913

Vulnerable Library - uimaj-core-2.9.0.jar

The core implementation of the UIMA Java Framework

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • ❌ uimaj-core-2.9.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

There are several locations in the code where serialized Java objects are deserialized without verifying the data. This affects in particular:

• the deserialization of a Java-serialized CAS, but also other binary CAS formats that include TSI information using the CasIOUtils class;
• the CAS Editor Eclipse plugin which uses the the CasIOUtils class to load data;
• the deserialization of a Java-serialized CAS of the Vinci Analysis Engine service which can receive using Java-serialized CAS objects over network connections;
• the CasAnnotationViewerApplet and the CasTreeViewerApplet;
• the checkpointing feature of the CPE module.

Note that the UIMA framework by default does not start any remotely accessible services (i.e. Vinci) that would be vulnerable to this issue. A user or developer would need to make an active choice to start such a service. However, users or developers may use the CasIOUtils in their own applications and services to parse serialized CAS data. They are affected by this issue unless they ensure that the data passed to CasIOUtils is not a serialized Java object.

When using Vinci or using CasIOUtils in own services/applications, the unrestricted deserialization of Java-serialized CAS files may allow arbitrary (remote) code execution.

As a remedy, it is possible to set up a global or context-specific ObjectInputFilter (cf. https://openjdk.org/jeps/290  and  https://openjdk.org/jeps/415 ) if running UIMA on a Java version that supports it.

Note that Java 1.8 does not support the ObjectInputFilter, so there is no remedy when running on this out-of-support platform. An upgrade to a recent Java version is strongly recommended if you need to secure an UIMA version that is affected by this issue.

To mitigate the issue on a Java 9+ platform, you can configure a filter pattern through the "jdk.serialFilter" system property using a semicolon as a separator:

To allow deserializing Java-serialized binary CASes, add the classes:

• org.apache.uima.cas.impl.CASCompleteSerializer
• org.apache.uima.cas.impl.CASMgrSerializer
• org.apache.uima.cas.impl.CASSerializer
• java.lang.String

To allow deserializing CPE Checkpoint data, add the following classes (and any custom classes your application uses to store its checkpoints):

• org.apache.uima.collection.impl.cpm.CheckpointData
• org.apache.uima.util.ProcessTrace
• org.apache.uima.util.impl.ProcessTrace_impl
• org.apache.uima.collection.base_cpm.SynchPoint

Make sure to use "!*" as the final component to the filter pattern to disallow deserialization of any classes not listed in the pattern.

Apache UIMA 3.5.0 uses tightly scoped ObjectInputFilters when reading Java-serialized data depending on the type of data being expected. Configuring a global filter is not necessary with this version.

Publish Date: 2023-11-08

URL: CVE-2023-39913

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-39913

Release Date: 2023-11-08

Fix Resolution (org.apache.uima:uimaj-core): 3.5.0

Direct dependency fix Resolution (org.apache.tika:tika-parsers): 1.21

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0490

Vulnerable Library - jcommander-1.35.jar

A Java framework to parse command line options with annotations.

Library home page: http://beust.com/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/beust/jcommander/1.35/jcommander-1.35.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • netcdf4-4.5.5.jar
    • cdm-4.5.5.jar
      • ❌ jcommander-1.35.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-19

Fix Resolution: com.beust:jcommander:1.75

CVE-2024-25710

Vulnerable Library - commons-compress-1.16.1.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://commons.apache.org/proper/commons-compress/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.16.1/commons-compress-1.16.1.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • ❌ commons-compress-1.16.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2018-8039

Vulnerable Library - cxf-rt-transports-http-3.0.16.jar

Apache CXF Runtime HTTP Transport

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.16/cxf-rt-transports-http-3.0.16.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • cxf-rt-rs-client-3.0.16.jar
    • ❌ cxf-rt-transports-http-3.0.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Publish Date: 2018-07-02

URL: CVE-2018-8039

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039

Release Date: 2018-07-02

Fix Resolution: 3.2.5,3.1.16

WS-2021-0419

Vulnerable Library - gson-2.8.1.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • ❌ gson-2.8.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

CVE-2022-25647

Vulnerable Library - gson-2.8.1.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • ❌ gson-2.8.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

CVE-2024-7254

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://www.google.com/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • netcdf4-4.5.5.jar
    • cdm-4.5.5.jar
      • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Publish Date: 2024-09-19

URL: CVE-2024-7254

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-7254

Release Date: 2024-09-19

Fix Resolution: com.google.protobuf:protobuf-javalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2

CVE-2024-30172

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • bcmail-jdk15on-1.54.jar
    • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2024-29857

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • bcmail-jdk15on-1.54.jar
    • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-09

URL: CVE-2024-29857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2022-46363

Vulnerable Library - cxf-rt-transports-http-3.0.16.jar

Apache CXF Runtime HTTP Transport

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.16/cxf-rt-transports-http-3.0.16.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • cxf-rt-rs-client-3.0.16.jar
    • ❌ cxf-rt-transports-http-3.0.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

Publish Date: 2022-12-13

URL: CVE-2022-46363

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-13

Fix Resolution: org.apache.cxf:cxf-rt-transports-http:3.4.10,3.5.5

CVE-2022-3510

Vulnerable Library - protobuf-java-2.5.0.jar

Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://www.google.com/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/2.5.0/protobuf-java-2.5.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • netcdf4-4.5.5.jar
    • cdm-4.5.5.jar
      • ❌ protobuf-java-2.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-11-11

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-11-11

Fix Resolution: com.google.protobuf:protobuf-javalite:3.21.7

CVE-2022-32287

Vulnerable Library - uimaj-core-2.9.0.jar

The core implementation of the UIMA Java Framework

Library home page: http://www.apache.org/

Path to dependency file: /tools/nibrs-common/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/uima/uimaj-core/2.9.0/uimaj-core-2.9.0.jar

Dependency Hierarchy:

• tika-parsers-1.18.jar (Root Library)
  • ❌ uimaj-core-2.9.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.

Publish Date: 2022-11-03

URL: CVE-2022-32287

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

---

⛑️Automatic Remediation will be attempted for this issue.