tika-core-1.8.jar: 6 vulnerabilities (highest severity is: 9.2) #66
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
1 task
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
dev-mend-for-github.aaakk.us.kg
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Publish Date: 2018-04-25
URL: CVE-2018-1335
CVSS 4 Score Details (9.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1335
Release Date: 2018-04-25
Fix Resolution: 1.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.
Publish Date: 2019-08-02
URL: CVE-2019-10088
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088
Release Date: 2019-08-02
Fix Resolution: 1.22
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Publish Date: 2018-10-09
URL: CVE-2018-11796
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8017
Release Date: 2018-10-09
Fix Resolution: 1.19.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Publish Date: 2018-09-19
URL: CVE-2018-11761
CVSS 4 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421@%3Cdev.tika.apache.org%3E
Release Date: 2018-09-19
Fix Resolution: 1.19
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.
Publish Date: 2019-08-02
URL: CVE-2019-10094
CVSS 4 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093
Release Date: 2019-08-02
Fix Resolution: 1.22
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tika-core-1.8.jar
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Library home page: http://tika.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.
Publish Date: 2018-12-24
URL: CVE-2018-17197
CVSS 4 Score Details (6.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197
Release Date: 2018-12-24
Fix Resolution: 1.20
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: