Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2022 20:30:57 +0000
From: Tim Allison <>
Subject: CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in

Severity: low


The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1.


This incomplete fix was discovered and reported by the CodeQL team member [@atorralba (Tony Torralba)]( and [@jarlob (Jaroslav Lobańćevski)]( from Github Security Lab.  The new ReDos was discovered by the Apache Tika team.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.