CVE-2021-28657 — MEDIUM (5.5)

Q: What is CVE-2021-28657?

CVE-2021-28657 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

Q: How severe is CVE-2021-28657?

CVE-2021-28657 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-28657?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tika, Oracle Healthcare Foundation, Oracle Primavera Unifier, Oracle Webcenter Portal, Oracle Communications Messaging Server.

Vulnerability Description

A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tika	<= 1.25
Oracle	Healthcare Foundation	7.3.0
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Webcenter Portal	12.2.1.3.0
Oracle	Communications Messaging Server	8.1

Related Weaknesses (CWE)

CWE-835

References

https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a
https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae967Mailing ListVendor Advisory
https://security.netapp.com/advisory/ntap-20210507-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a
https://lists.apache.org/thread.html/r915add4aa52c60d1b5cf085039cfa73a98d7fae967Mailing ListVendor Advisory
https://security.netapp.com/advisory/ntap-20210507-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-28657?

CVE-2021-28657 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

How severe is CVE-2021-28657?

CVE-2021-28657 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-28657?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tika, Oracle Healthcare Foundation, Oracle Primavera Unifier, Oracle Webcenter Portal, Oracle Communications Messaging Server.