CVE-2022-30126

Apache Tika Regular Expression Denial of Service in Standards Extractor

Description

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0

Remediation

Workaround:

Upgrade to 1.28.2 or 2.4.0

5.5

CVSS

Severity: Medium

CVSS 3.1 •

CVSS 2.0 •

EPSS 0.91% Top 30%

Vendor Advisory apache.org

Affected: Apache Software Foundation Apache Tika

References

Link	Tags
https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4	mailing list vendor advisory
http://www.openwall.com/lists/oss-security/2022/05/16/3	third party advisory mailing list
http://www.openwall.com/lists/oss-security/2022/05/31/2	third party advisory mailing list
http://www.openwall.com/lists/oss-security/2022/06/27/5	third party advisory mailing list
https://www.oracle.com/security-alerts/cpujul2022.html	third party advisory
https://security.netapp.com/advisory/ntap-20220624-0004/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-30126?: CVE-2022-30126 has been scored as a medium severity vulnerability.
How to fix CVE-2022-30126?: As a workaround for remediating CVE-2022-30126: Upgrade to 1.28.2 or 2.4.0
Is CVE-2022-30126 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-30126 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-30126?: CVE-2022-30126 affects Apache Software Foundation Apache Tika.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.