Apache Tika wraps the jmatio parser to handle MATLAB files. The parser uses native deserialization on serialized Java objects embedded in MATLAB files. A malicious user could inject arbitrary code into a MATLAB file that would be executed when the object is deserialized. Versions 1.6 through 1.13 are affected.
226a436c7b3ab43566f0b5d55d84ab755d746a38d7b3256777c317a174b2d47e