PT-2024-18999 · Apache+1 · Tika+2
Tmortagne
·
Published
2024-01-08
·
Updated
2024-01-12
·
CVE-2024-21651
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 14.10.18
XWiki Platform versions prior to 15.5.3
XWiki Platform versions prior to 15.8 RC1
Description
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Recommendations
For versions prior to 14.10.18, update to version 14.10.18 or later.
For versions prior to 15.5.3, update to version 15.5.3 or later.
For versions prior to 15.8 RC1, update to version 15.8 RC1 or later.
As a temporary workaround, consider downloading commons-compress 1.24 and replacing the one located in XWiki's WEB-INF/lib/ folder.
Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tika
Xwiki Platform
Commons-Compress