tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pat cashman (JIRA)" <j...@apache.org>
Subject [jira] [Created] (TIKA-2877) Tika 1.20 suffer from 3 separate CVE vulnerabilities
Date Thu, 16 May 2019 13:20:00 GMT
Pat cashman created TIKA-2877:

             Summary: Tika 1.20 suffer from 3 separate CVE vulnerabilities
                 Key: TIKA-2877
                 URL: https://issues.apache.org/jira/browse/TIKA-2877
             Project: Tika
          Issue Type: Bug
          Components: app
    Affects Versions: 1.20
         Environment: These are generic issues.
            Reporter: Pat cashman

Tika 1.20 third party dependencies suffer from 3 separate CVE vulnerabilitiesoutlined below

I am aware that these are already included in a separate ticket which deals with the generic
problem of outdated 3rd party libraries. [https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854]

 At the very least you should update your security page with the details and potentially
release 1.21 to correct these issues.. 



*a) GUAVA v_17 -> - CVE-2018-10237*

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote
attackers to conduct denial of service attacks against servers



*b) jackson-databind v_2.9.7 -> CVE-2018-19362*

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact
by leveraging failure to block the jboss-common-core class from polymorphic deserialization.



*c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346*

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and
resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow
tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run
arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.


This message was sent by Atlassian JIRA

View raw message