CVE-2020-9489 — MEDIUM (5.5)

Q: How severe is CVE-2020-9489?

CVE-2020-9489 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-9489?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tika, Oracle Flexcube Private Banking, Oracle Primavera Unifier, Oracle Webcenter Portal, Oracle Communications Messaging Server.

Vulnerability Description

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tika	1.24
Oracle	Flexcube Private Banking	12.0.0
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Webcenter Portal	12.2.1.3.0
Oracle	Communications Messaging Server	8.1

Related Weaknesses (CWE)

CWE-835

References

https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a
https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5Mailing ListVendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a
https://lists.apache.org/thread.html/r4d943777e36ca3aa6305a45da5acccc54ad894f2d5Mailing ListVendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-9489?

CVE-2020-9489 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Pa...

How severe is CVE-2020-9489?

CVE-2020-9489 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9489?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tika, Oracle Flexcube Private Banking, Oracle Primavera Unifier, Oracle Webcenter Portal, Oracle Communications Messaging Server.