CVE-2020-1951
Medium
Low
Medium
High
Critical
5.5
CVSS Score
Vulnerability Description
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser in versions 1.0-1.23.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
L
Attack Complexity
L
Privileges Required
N
User Interaction
R
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Known Affected Software
8 configuration(s) from 3 vendor(s)
ubuntu_linux
Version:
16.04
CPE:
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:*:*:*:*
debian_linux
Version:
8.0
CPE:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
flexcube_private_banking
Version:
12.1.0
CPE:
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
communications_messaging_server
Version:
8.0.2
CPE:
cpe:2.3:a:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*
flexcube_private_banking
Version:
12.0.0
CPE:
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
business_process_management_suite
Version:
12.2.1.3.0
CPE:
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
communications_messaging_server
Version:
8.1
CPE:
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
business_process_management_suite
Version:
12.2.1.4.0
CPE:
cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
This vulnerability affects 8 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3Esecurity@apache.org Mailing List Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2020/03/msg00035.htmlsecurity@apache.org Mailing List Third Party Advisory
-
https://usn.ubuntu.com/4564-1/security@apache.org Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.htmlsecurity@apache.org Patch Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.htmlsecurity@apache.org Patch Third Party Advisory
-
https://lists.apache.org/thread.html/rd8c1b42bd0e31870d804890b3f00b13d837c528f7ebaf77031323172%40%3Cdev.tika.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108 Mailing List Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2020/03/msg00035.htmlaf854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://usn.ubuntu.com/4564-1/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.htmlaf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
Severity Details
5.5
out of 10.0
Medium
Weakness Type (CWE)
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
- Description
- The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- March 23, 2020
