Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
1.23
-
None
-
None
-
None
Description
This issue has been created automatically by a source code scanner
-
- Third party component with known security vulnerabilities
ent-search-master/script/vendor_jars > Jars.lock > com.drewnoakes:metadata-extractor@2.11.0 - Overview
- Third party component with known security vulnerabilities
[com.drewnoakes:metadata-extractor](https://github.com/drewnoakes/metadata-extractor) is a Java library for reading metadata from image files.
Affected versions of this package are vulnerable to Buffer Overflow.
Extraction of light source metadata data from an invalid/corrupt image file can lead to an infinite loop recursion within `PanasonicRawWbInfo2` descriptor class, resulting in stack consumption.
-
- Remediation
Upgrade `com.drewnoakes:metadata-extractor` to version v2.13.0 or higher.
-
- References
- [GitHub Commit Java](https://github.com/drewnoakes/metadata-extractor/pull/420/commits/11cfd54eba77b1164721ca6276a42986ba054fea)
- [GitHub Commit .NET](https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190/commits/3142e5e6a95f2760ace1d2fdd9d50a97eb1c0e23)
- [GitHub PR Java](https://github.com/drewnoakes/metadata-extractor/pull/420)
- [GitHub PR .NET](https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190)
- [SNYK-JAVA-COMDREWNOAKES-455419](https://snyk.io/vuln/SNYK-JAVA-COMDREWNOAKES-455419)
Attachments
Issue Links
- duplicates
-
TIKA-2952 Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
- Resolved