{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2016-4434","title":"Title"},{"category":"description","text":"Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2016-4434","url":"https://www.suse.com/security/cve/CVE-2016-4434"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"title":"SUSE CVE CVE-2016-4434","tracking":{"current_release_date":"2025-04-25T09:32:09Z","generator":{"date":"2024-06-13T05:50:36Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2016-4434","initial_release_date":"2024-06-13T05:50:36Z","revision_history":[{"date":"2024-06-13T05:50:36Z","number":"2","summary":"Current version"},{"date":"2025-01-01T09:55:28Z","number":"3","summary":"Current version"},{"date":"2025-02-18T15:43:40Z","number":"4","summary":"Current version"},{"date":"2025-03-16T04:01:13Z","number":"5","summary":"Current version"},{"date":"2025-04-25T09:32:09Z","number":"6","summary":"Current version"}],"status":"interim","version":"6"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Manager Server 3.1","product":{"name":"SUSE Manager Server 3.1","product_id":"SUSE Manager Server 3.1","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:3.1"}}},{"category":"product_name","name":"SUSE Manager Server 3.2","product":{"name":"SUSE Manager Server 3.2","product_id":"SUSE Manager Server 3.2","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:3.2"}}},{"category":"product_name","name":"SUSE Manager Server Module 4.0","product":{"name":"SUSE Manager Server Module 4.0","product_id":"SUSE Manager Server Module 4.0","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-suse-manager-server:4.0"}}},{"category":"product_version","name":"tika-core","product":{"name":"tika-core","product_id":"tika-core","product_identification_helper":{"cpe":"cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/tika-core@?upstream=tika-core.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"tika-core as component of SUSE Manager Server 3.1","product_id":"SUSE Manager Server 3.1:tika-core"},"product_reference":"tika-core","relates_to_product_reference":"SUSE Manager Server 3.1"},{"category":"default_component_of","full_product_name":{"name":"tika-core as component of SUSE Manager Server 3.2","product_id":"SUSE Manager Server 3.2:tika-core"},"product_reference":"tika-core","relates_to_product_reference":"SUSE Manager Server 3.2"},{"category":"default_component_of","full_product_name":{"name":"tika-core as component of SUSE Manager Server Module 4.0","product_id":"SUSE Manager Server Module 4.0:tika-core"},"product_reference":"tika-core","relates_to_product_reference":"SUSE Manager Server Module 4.0"}]},"vulnerabilities":[{"cve":"CVE-2016-4434","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2016-4434"}],"notes":[{"category":"general","text":"Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Manager Server 3.1:tika-core","SUSE Manager Server 3.2:tika-core","SUSE Manager Server Module 4.0:tika-core"]},"references":[{"category":"external","summary":"CVE-2016-4434","url":"https://www.suse.com/security/cve/CVE-2016-4434"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"threats":[{"category":"impact","date":"2016-05-26T18:15:13Z","details":"important"}],"title":"CVE-2016-4434"}]}