https://bugzilla.redhat.com/show_bug.cgi?id=1340386
Bug ID: 1340386 Summary: CVE-2016-4434 tika: XML External Entity vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: alazarot@redhat.com, aszczucz@redhat.com, bdawidow@redhat.com, bgollahe@redhat.com, bkearney@redhat.com, brms-jira@redhat.com, chazlett@redhat.com, epp-bugs@redhat.com, etirelli@redhat.com, felias@redhat.com, hchiorea@redhat.com, hfnukal@redhat.com, java-sig-commits@lists.fedoraproject.org, jcoleman@redhat.com, jolee@redhat.com, jpallich@redhat.com, kanderso@redhat.com, lpetrovi@redhat.com, mbaluch@redhat.com, meissner@suse.de, mweiler@redhat.com, mwinkler@redhat.com, nwallace@redhat.com, ohudlick@redhat.com, pavelp@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rzhang@redhat.com, rzima@redhat.com, taw@redhat.com, theute@redhat.com, thomas@suse.de, tkasparek@redhat.com, tkirby@redhat.com, tlestach@redhat.com, vhalbert@redhat.com
Apache Tika parses XML within numerous file formats. In some instances, such as spreadsheets in OOXML files, XMP in PDF, and other file formats, the initialization of the XML parser or the choice of handlers did not protect against XML External Entity (XXE) vulnerabilities.
References:
http://seclists.org/oss-sec/2016/q2/413