{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-9489","title":"Title"},{"category":"description","text":"A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-9489","url":"https://www.suse.com/security/cve/CVE-2020-9489"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1170542 for CVE-2020-9489","url":"https://bugzilla.suse.com/1170542"}],"title":"SUSE CVE CVE-2020-9489","tracking":{"current_release_date":"2025-04-25T05:40:31Z","generator":{"date":"2023-02-15T04:00:53Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-9489","initial_release_date":"2023-02-15T04:00:53Z","revision_history":[{"date":"2023-02-15T04:00:53Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:47:44Z","number":"3","summary":"Current version"},{"date":"2025-02-15T06:24:31Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:45:59Z","number":"5","summary":"Current version"},{"date":"2025-03-15T10:06:27Z","number":"6","summary":"Current version"},{"date":"2025-04-25T05:40:31Z","number":"7","summary":"Current version"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Manager Server 3.2","product":{"name":"SUSE Manager Server 3.2","product_id":"SUSE Manager Server 3.2","product_identification_helper":{"cpe":"cpe:/o:suse:suse-manager-server:3.2"}}},{"category":"product_name","name":"SUSE Manager Server Module 4.0","product":{"name":"SUSE Manager Server Module 4.0","product_id":"SUSE Manager Server Module 4.0","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-suse-manager-server:4.0"}}},{"category":"product_version","name":"tika-core","product":{"name":"tika-core","product_id":"tika-core","product_identification_helper":{"cpe":"cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/tika-core@?upstream=tika-core.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"tika-core as component of SUSE Manager Server 3.2","product_id":"SUSE Manager Server 3.2:tika-core"},"product_reference":"tika-core","relates_to_product_reference":"SUSE Manager Server 3.2"},{"category":"default_component_of","full_product_name":{"name":"tika-core as component of SUSE Manager Server Module 4.0","product_id":"SUSE Manager Server Module 4.0:tika-core"},"product_reference":"tika-core","relates_to_product_reference":"SUSE Manager Server Module 4.0"}]},"vulnerabilities":[{"cve":"CVE-2020-9489","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-9489"}],"notes":[{"category":"general","text":"A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Manager Server 3.2:tika-core","SUSE Manager Server Module 4.0:tika-core"]},"references":[{"category":"external","summary":"CVE-2020-9489","url":"https://www.suse.com/security/cve/CVE-2020-9489"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1170542 for CVE-2020-9489","url":"https://bugzilla.suse.com/1170542"}],"threats":[{"category":"impact","date":"2020-04-24T16:47:53Z","details":"moderate"}],"title":"CVE-2020-9489"}]}