CVE-2016-6809 — Apache Tika allows Java code execution for serialized objects embedded in MATLAB

Description

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

How to fix CVE-2016-6809

To remediate CVE-2016-6809, upgrade the affected package to a fixed version below.

Debian/tika—upgrade to 1.18-1 or later
—upgrade to 1.14 or later

Is CVE-2016-6809 being exploited?

Moderate — EPSS is 7.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.18-1
from 0, < 1.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYgithub.com/advisories/GHSA-j8g6-2wh7-6439
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-6809
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6809
PATCHgithub.com/apache/tika
WEB