Vulnerability Details : CVE-2016-6809
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Products affected by CVE-2016-6809
- cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:nutch:2.3.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-6809
2.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-6809
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-6809
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6809
-
https://lists.apache.org/thread.html/rfd3646bb724b66b1a9ddef69e692da2b7a727a8799551c78eedf0a0f@%3Cissues.lucene.apache.org%3E
[jira] [Issue Comment Deleted] (SOLR-11486) CVE-2016-6809: Upgrade TIKA - Pony MailMailing List;Vendor Advisory
-
http://seclists.org/bugtraq/2016/Nov/40
Bugtraq: CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB ParserMailing List;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/94247
Apache Tika CVE-2016-6809 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://dist.apache.org/repos/dist/release/tika/CHANGES-1.14.txt
404 Not FoundRelease Notes;Vendor Advisory
-
https://lists.apache.org/thread.html/r2f6f6c130b12b7332f323f74d031072b1517065ce28a22346791ffb6@%3Cissues.lucene.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/e414754a6c57ce7194b731e211cd6b2cbb41f2c7000e3fb9c6b6ec78@%3Cdev.lucene.apache.org%3E
Re: 6.6.6 Release - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/d2375da29d89e679abf5d845db76d6f798fdc6f7d44f2c788e8a0fb9@%3Cuser.nutch.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/91eb639ef619b9a26b40020ca6732e7dbe457f7322ed5f1df49e411a@%3Cdev.nutch.apache.org%3E
[SECURITY] Nutch 2.3.1 affected by downstream dependency CVE-2016-6809 - Pony MailMailing List;Vendor Advisory
Jump to