tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Allison (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-2877) Tika 1.20 suffer from 3 separate CVE vulnerabilities
Date Thu, 16 May 2019 15:55:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16841492#comment-16841492

Tim Allison commented on TIKA-2877:

Voting is underway for 1.21 : https://lists.apache.org/thread.html/2c027535156cc6862149490b289552d72ba5a9bff985fb7cce794e21@%3Cdev.tika.apache.org%3E

I can add a new table for dependency vulnerabilities on our security page.  Thank you.

> Tika 1.20 suffer from 3 separate CVE vulnerabilities
> ----------------------------------------------------
>                 Key: TIKA-2877
>                 URL: https://issues.apache.org/jira/browse/TIKA-2877
>             Project: Tika
>          Issue Type: Bug
>          Components: app
>    Affects Versions: 1.20
>         Environment: These are generic issues.
>            Reporter: Pat cashman
>            Priority: Critical
> Tika 1.20 third party dependencies suffer from 3 separate CVE vulnerabilitiesoutlined
> I am aware that these are already included in a separate ticket which deals with the
generic problem of outdated 3rd party libraries. [https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854]
>  At the very least you should update your security page with the details and potentially
release 1.21 to correct these issues.. 
> [https://tika.apache.org/security.html]
> *a) GUAVA v_17 -> - CVE-2018-10237*
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote
attackers to conduct denial of service attacks against servers
> [https://nvd.nist.gov/vuln/detail//CVE-2018-10237]
> *b) jackson-databind v_2.9.7 -> CVE-2018-19362*
> FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified
impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-19362]
> *c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346*
> SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow
(and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3
shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability
to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-20346]

This message was sent by Atlassian JIRA

View raw message