Base Score

LOW3.3

CVE-2022-33879

The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.

VectorLOCAL

Published Bysecurity@apache.org

Published DateJun 27, 2022, 22:15

Affected Versions(2)

org.apache.tika:tika(Maven)

Introduced0

Fixed1.28.4

LimitN/A

org.apache.tika:tika(Maven)

Introduced2.0.0

Fixed2.4.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.tika:tika(Maven)	0	1.28.4	N/A
org.apache.tika:tika(Maven)	2.0.0	2.4.1	N/A

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

3.3

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Base Severity

LOW

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW

References

Base Score

LOW3.3

Weakness Type (CWE):NVD-CWE-Other

CVSS Metrics

Base Score

3.3

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Base Severity

LOW

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

LOW