You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2022/04/22 18:40:00 UTC

[jira] [Commented] (TIKA-3729) CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file

    [ https://issues.apache.org/jira/browse/TIKA-3729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17526619#comment-17526619 ] 

Tim Allison commented on TIKA-3729:
-----------------------------------

I was able to update my personal fork of drewnoakes to include his snapshot/master branch.  I've made a release.  Once that arrives in maven central, we'll update that in our 1.x branch, and we'll be good to go.

> CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
> -------------------------------------------------------------------------------------------
>
>                 Key: TIKA-3729
>                 URL: https://issues.apache.org/jira/browse/TIKA-3729
>             Project: Tika
>          Issue Type: Bug
>          Components: metadata
>    Affects Versions: 1.28.1, 2.3.0
>            Reporter: Luigi De Masi
>            Assignee: Tim Allison
>            Priority: Major
>             Fix For: 2.3.0
>
>
> CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
> When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
>  
> https://github.com/drewnoakes/metadata-extractor/issues/561



--
This message was sent by Atlassian Jira
(v8.20.7#820007)