BugTraq
CVE-2016-6809 â?? Arbitrary Code Execution Vulnerability in Apache Tikaâ??s MATLAB Parser Nov 10 2016 02:15PM
tallison apache org
CVE-2016-6809 â?? Arbitrary Code Execution Vulnerability in Apache Tikaâ??s MATLAB Parser

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 1.6-1.13

Description: Apache Tika wraps the jmatio parser (https://github.com/gradusnikov/jmatio) to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized.

Mitigation: Turn off MATLAB file parsing or upgrade to Tika 1.14.

Credit: Pierre Ernst of salesforce.com discovered this issue and contributed to the fix.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus