Abhijit Rajwade created TIKA-2686:
-------------------------------------
Summary: pdfbox fontbox 2.0.8 has security vulnerability
CVE-2018-8036 and should be upgraded to 2.0.11
Key: TIKA-2686
URL: https://issues.apache.org/jira/browse/TIKA-2686
Project: Tika
Issue Type: Bug
Components: core
Affects Versions: 1.18, 1.17
Reporter: Abhijit Rajwade
Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox fontbox
version 2.0.8 used by Tika 1.17
Details of the lssue from Sonatype Nexus auditor are as follows.
Issue
[CVE-2018-8036|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8036]
Source National Vulnerability Database
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: [400|https://cwe.mitre.org/data/definitions/400.html]
Description from CVE:
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted
(or fuzzed) file can trigger an infinite loop which leads to an out of memory
exception in Apache PDFBox's AFMParser.
Categories Data
Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11)
Advisories
Third Party: [https://bugzilla.redhat.com/show_bug.cgi?id=1597490]
Project: https://issues.apache.org/jira/browse/PDFBOX-4251
Sonatype recommendation is to update pdfbox fontbox to non vulnerable version
2.0.11
Can you please update pdfbox fontbox version used by Apache Tika?
--- Abhijit Rajwade
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
