Bio Formats
Monthly
Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).
Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. No patch is currently available.
Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).
Bio-Formats versions up to 8.3.0 contain an XML External Entity (XXE) injection vulnerability in the Leica Microsystems metadata parser that fails to disable external entity expansion. A local attacker can exploit this by crafting malicious XML metadata files to trigger server-side request forgery, read local files, or cause denial of service. No patch is currently available.