CVE-2020-9489

Name of the Vulnerable Software and Affected Versions Apache Tika versions prior to 1.24.1

Description A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser, and ImageParser. The issue is related to memory release errors before the last reference is deleted, which can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions prior to 1.24.1, upgrade to 1.24.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable parsers, such as OneNoteParser, ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, and ImageParser, until the upgrade is applied.