CVE-2016-6809

Published: Apr 6, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Affected (2)

Products: Apache: Nutch, Tika

Apache

2 products

Nutch

Tika

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Nutch	Version 2.3.1
Apache Tika	Up to 1.13

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (16)

http://seclists.org/bugtraq/2016/Nov/40

Source: cve@mitre.org

Mailing ListThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/94247

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://dist.apache.org/repos/dist/release/tika/CHANGES-1.14.txt

Source: cve@mitre.org

Release NotesVendor Advisory

https://lists.apache.org/thread.html/91eb639ef619b9a26b40020ca6732e7dbe457f7322ed5f1df49e411a%40%3Cdev.nutch.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/d2375da29d89e679abf5d845db76d6f798fdc6f7d44f2c788e8a0fb9%40%3Cuser.nutch.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/e414754a6c57ce7194b731e211cd6b2cbb41f2c7000e3fb9c6b6ec78%40%3Cdev.lucene.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2f6f6c130b12b7332f323f74d031072b1517065ce28a22346791ffb6%40%3Cissues.lucene.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfd3646bb724b66b1a9ddef69e692da2b7a727a8799551c78eedf0a0f%40%3Cissues.lucene.apache.org%3E

Source: cve@mitre.org

http://seclists.org/bugtraq/2016/Nov/40