tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Allison (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-2829) Security Vulnerability in boilerpipe (CVE-2018-16481)
Date Tue, 19 Feb 2019 17:31:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772142#comment-16772142
] 

Tim Allison commented on TIKA-2829:
-----------------------------------

Are you able to submit a unit test that shows this vulnerability in action in the Tika framework...ideally
via a patch to private@tika.apache.org  

Would this vulnerability be triggered by users who take the output of Tika and display it
in a browser?

Thank you!

> Security Vulnerability in boilerpipe (CVE-2018-16481)
> -----------------------------------------------------
>
>                 Key: TIKA-2829
>                 URL: https://issues.apache.org/jira/browse/TIKA-2829
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.20
>            Reporter: Alex LI
>            Priority: Major
>
> org.apache.tika:tika-parsers:1.20 depending on boilerpipe, which the dependency reflections
uses.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-16481]
> h3. Current Description
> A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript
code to be executed in the user's browser due to the absence of sanitization of the paths
before rendering.
> ==========================
> [info] de.l3s.boilerpipe:boilerpipe:1.1.0
> [info]   +-org.apache.tika:tika-parsers:1.20



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message