tika-core-1.8.jar: 6 vulnerabilities (highest severity is: 9.2)

[dev-mend-for-github-com]

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (tika-core version)	Remediation Possible**	Reachability
CVE-2018-1335	Critical	9.2	tika-core-1.8.jar	Direct	1.18	✅
CVE-2019-10088	High	8.7	tika-core-1.8.jar	Direct	1.22	✅
CVE-2018-11796	High	8.7	tika-core-1.8.jar	Direct	1.19.1	✅
CVE-2018-11761	High	8.7	tika-core-1.8.jar	Direct	1.19	✅
CVE-2019-10094	High	8.5	tika-core-1.8.jar	Direct	1.22	✅
CVE-2018-17197	Medium	6.0	tika-core-1.8.jar	Direct	1.20	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-1335

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Publish Date: 2018-04-25

URL: CVE-2018-1335

CVSS 4 Score Details (9.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1335

Release Date: 2018-04-25

Fix Resolution: 1.18

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10088

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Users should upgrade to 1.22 or later.

Publish Date: 2019-08-02

URL: CVE-2019-10088

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10088

Release Date: 2019-08-02

Fix Resolution: 1.22

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11796

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Publish Date: 2018-10-09

URL: CVE-2018-11796

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8017

Release Date: 2018-10-09

Fix Resolution: 1.19.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11761

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

Publish Date: 2018-09-19

URL: CVE-2018-11761

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421@%3Cdev.tika.apache.org%3E

Release Date: 2018-09-19

Fix Resolution: 1.19

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10094

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

Publish Date: 2019-08-02

URL: CVE-2019-10094

CVSS 4 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10093

Release Date: 2019-08-02

Fix Resolution: 1.22

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-17197

Vulnerable Library - tika-core-1.8.jar

This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

Library home page: http://tika.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml

Dependency Hierarchy:

• ❌ tika-core-1.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.

Publish Date: 2018-12-24

URL: CVE-2018-17197

CVSS 4 Score Details (6.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17197

Release Date: 2018-12-24

Fix Resolution: 1.20

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.