Nexus Sonatype has reported Security issue with metadata-extractor version used by Tika
Severity : CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5
Weakness : CVE CWE: 400
Source : National Vulnerability Database
Categories : Data
Description from CVE : MetadataExtractor 2.1.0 allows stack consumption.
Explanation : The MetadataExtractor package is vulnerable to a Denial of Service [DoS] attack. The GetWbTypeDescription function in the PanasonicRawWbInfo2Descriptor.cs and PanasonicRawWbInfoDescriptor.cs files fails to prevent infinite recursion when processing malformed light source information from PanasonicRawWbInfo metadata. A remote attacker can exploit this vulnerability by submitting PanasonicRawWbInfo metadata containing light source information that exploits this issue. This will cause the application to consume a large amount of available resources, ultimately resulting in a DoS condition.
Detection : The application is vulnerable by using this component.
Recommendation : There is no non-vulnerable version of this component. We recommend investigating alternative components or potential mitigating control.
Root Cause : tika-app-1.22.jarcom/drew/metadata/exif/PanasonicRawDistortionDescriptor.class : [2.10.0 , ]
Advisories : Project: https://github.com/drewnoakes/metadata-extractor/issues/419
CVSS Details : CVE CVSS 3.0: 7.5CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H