PT-2018-10826 · Apache · Apache Tika

Publicado

2018-10-09

Atualizado

2019-09-03

CVE-2018-11796

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Tika versions 0.1 through 1.19

Description The issue concerns entity expansion limits for XML parsing. In Apache Tika, the reuse of SAXParsers and the call to reset() after each parse removes the user-specified SecurityManager for Xerces2 parsers, thus removing entity expansion limits after the first parse. This can lead to a denial of service attack.

Recommendations For Apache Tika versions 0.1 through 1.19, upgrade to 1.19.1 or later to resolve the issue.

Correção

XXE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-611

Identificadores relacionados

CVE-2018-11796

GHSA-H8Q5-G2CJ-QR5H

Produtos afetados

Apache Tika

PT-2018-10826 · Apache · Apache Tika

CVE-2018-11796

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13