Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki WEB-INF/lib/ folder.
References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory:
Impact
A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption.
Patches
This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1.
Workarounds
The workaround is to download commons-compress 1.24 and replace the one located in XWiki
WEB-INF/lib/folder.References
https://jira.xwiki.org/browse/XCOMMONS-2796
For more information
If you have any questions or comments about this advisory: