CVE-2020-9489: 
Java vulnerability analysis and mitigation

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop'). The issue affects multiple parsers within Apache Tika, including ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser (NVD).

The vulnerability can lead to denial of service through multiple vectors: System.exit calls in the OneNote Parser, out of memory errors, and infinite loops in various parsers. This can affect the availability of systems using Apache Tika for file parsing (NVD).

Users should upgrade to Apache Tika version 1.24.1 or later. The MP4Parser vulnerabilities were partially addressed by upgrading the isoparser dependency from com.googlecode:isoparser:1.1.22 to org.tallison:isoparser:1.9.41.2. Additionally, org.apache.cxf was upgraded to 3.3.6 as part of the 1.24.1 release (CVE).