You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@tika.apache.org by ta...@apache.org on 2016/11/10 14:15:14 UTC

CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser

CVE-2016-6809 – Arbitrary Code Execution Vulnerability in Apache Tika’s MATLAB Parser 

Severity: Important 

Vendor: The Apache Software Foundation 

Versions Affected: 1.6-1.13 

Description: Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files.  The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. 

Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14. 

Credit: Pierre Ernst of salesforce.com discovered this issue and contributed to the fix.