tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Allison <talli...@apache.org>
Subject Re: [CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser
Date Fri, 21 Sep 2018 18:08:19 GMT
All,
  I got the credit wrong for this issue.  Rohan Padhye first
identified this vulnerability to the Tika team.  Tobias Ospelt
independently discovered it slightly later.

Credit:
This issue was discovered independently using JQF
(https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the
University of California,
Berkeley and later by Tobias Ospelt of modzero AG.

On Wed, Sep 19, 2018 at 8:49 AM Tim Allison <tallison@apache.org> wrote:
>
> CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
> Potential Infinite Loop in IptcAnpaParser
>
> Severity: Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Tika 1.2 to 1.18
>
> Description:
> A carefully crafted file can trigger an infinite loop in Apache Tika's
> IptcAnpaParser.
>
> Mitigation:
> Apache Tika users should upgrade to 1.19 or later.
>
> Credit:
> This issue was discovered by Tobias Ospelt of modzero AG.

Mime
View raw message