CVE-2022-33879: 
Java vulnerability analysis and mitigation

Apache Tika versions prior to 1.28.4 and versions 2.0.0 to 2.4.1 were affected by a Regular Expression Denial of Service (ReDoS) vulnerability. The issue was discovered in June 2022 and involved insufficient fixes from previous vulnerabilities (CVE-2022-30126 and CVE-2022-30973) in the StandardsExtractingContentHandler component (GitHub Security Lab, OSS Security).

The vulnerability stems from a problematic regular expression pattern in StandardsText.java containing nested repetition at (\d+.?)*, which could cause exponential backtracking. The regex engine would need to perform exponential backtracking to distinguish which part of the expression matches an input containing a long sequence of numbers. This vulnerability is particularly impactful on JDK versions 8 and below, as JDK 9 introduced mitigations for this type of issue. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (GitHub Security Lab, NVD).

When successfully exploited, this vulnerability could lead to a Denial of Service (DoS) through resource consumption. The issue occurs when processing specially crafted files that can trigger catastrophic backtracking in the regular expression engine, causing exponential processing time (GitHub Security Lab, NetApp Advisory).

The vulnerability has been fixed in Apache Tika versions 1.28.4 and 2.4.1. Users are advised to upgrade to these or later versions to address the issue. No specific workarounds have been provided for users who cannot upgrade immediately (GitHub Security Lab).