CVE-2022-25169: Allocation of Resources Without Limits or Throttling

May 17, 2022 (updated August 11, 2022)

The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files.

References

www.openwall.com/lists/oss-security/2022/05/16/4
github.com/advisories/GHSA-7qcq-xp2f-56f6
lists.apache.org/thread/t3tb51sf0k2pmbnzsrrrm23z9r1c10rk
nvd.nist.gov/vuln/detail/CVE-2022-25169
security.netapp.com/advisory/ntap-20220804-0004/
www.oracle.com/security-alerts/cpujul2022.html

Code Behaviors & Features

Detect and mitigate CVE-2022-25169 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →