CVE-2016-4434 — Apache Tika does not properly initialize the XML parser or choose handlers

Description

Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

How to fix CVE-2016-4434

To remediate CVE-2016-4434, upgrade the affected package to a fixed version below.

—upgrade to 1.18-1 or later
—upgrade to 1.13 or later

Is CVE-2016-4434 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.18-1
from 0, < 1.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-4xr4-4c65-hj7f
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4434
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-4434
WEBrhn.redhat.com/errata/RHSA-2017-0248.html
WEB