A vulnerability in Apache Tika could allow an unauthenticated, remote attacker to conduct an XML External Entity (XXE) attack on a targeted system.
The vulnerability is due to improper implementation of XXE expansion restrictions by the affected software. The software reuses SAXParsers and calls the reset() function after each parse, which could cause Xerces2 parsers to remove the user-specified SecurityManager, resulting in entity expansion limits being removed after the first parse. An attacker could exploit this vulnerability by persuading a user to open an XML file that submits malicious input to the targeted system. A successful exploit could allow the attacker to conduct an XXE attack, which the attacker could use to cause a denial of service (DoS) condition.
Apache confirmed the vulnerability and released software updates.