CVE-2020-1951 - A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in ver

CVE-2020-1951

Summary

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.

References

Vulnerable Configurations

cpe:2.3:a:apache:tika:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.19.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.19.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tika:1.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 07-10-2022 - 01:59)
Impact:
Exploitability:

CWE

CWE-835

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

refmap via4

misc	https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3E https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html
mlist	[debian-lts-announce] 20200328 [SECURITY] [DLA 2161-1] tika security update
ubuntu	USN-4564-1

Last major update

07-10-2022 - 01:59

Published

23-03-2020 - 14:15

Last modified

07-10-2022 - 01:59