{"id":"USN-8324-1","summary":"tika vulnerabilities","details":"It was discovered that Apache Tika incorrectly handled XML external\nentities when parsing XFA content in PDF files. An attacker could possibly\nuse this issue to obtain sensitive information or send malicious requests\nto internal resources or third-party servers.","modified":"2026-05-27T18:14:18.799728652Z","published":"2026-05-27T14:10:36Z","related":["UBUNTU-CVE-2025-54988","UBUNTU-CVE-2025-66516"],"upstream":["CVE-2025-54988","CVE-2025-66516","UBUNTU-CVE-2025-54988","UBUNTU-CVE-2025-66516"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8324-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-54988"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-66516"}],"affected":[{"package":{"name":"tika","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/tika?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22-1ubuntu0.1~esm2"}]}],"versions":["1.22-1","1.22-1ubuntu0.1~esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.22-1ubuntu0.1~esm2","binary_name":"libtika-java"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54988","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-66516","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8324-1.json"}},{"package":{"name":"tika","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/tika?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22-2+deb11u1build0.22.04.1"}]}],"versions":["1.22-2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.22-2+deb11u1build0.22.04.1","binary_name":"libtika-java"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54988","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-66516","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8324-1.json"}}],"schema_version":"1.7.5"}