CVE-2020-1950

Description

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser in versions 1.0-1.23.

How to fix CVE-2020-1950

To remediate CVE-2020-1950, upgrade the affected package to a fixed version below.

• Debian/tika—upgrade to 1.22-2 or later
• Debian/tika—upgrade to 1.5-1+deb8u1 or later
• —upgrade to 1.24 or later

Is CVE-2020-1950 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.22-2
• from 0, < 1.5-1+deb8u1
• >= 1.0, < 1.24

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1950
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1950
• PATCHgithub.com/apache/tika
• WEBlists.apache.org/thread.html/r463b1a67817ae55fe022536edd6db34e8f9636971188430cbcf8a8dd%40%3Cdev.tika.apache.org%3E