Bugtraq mailing list archives
CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser
From: <tallison () apache org>
Date: Thu, 10 Nov 2016 14:15:14 +0000 (UTC)
CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser Severity: Important Vendor: The Apache Software Foundation Versions Affected: 1.6-1.13 Description: Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14. Credit: Pierre Ernst of salesforce.com discovered this issue and contributed to the fix.
Current thread:
- CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser tallison (Nov 10)