[ https://issues.apache.org/jira/browse/TIKA-2686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Allison resolved TIKA-2686. ------------------------------- Resolution: Duplicate Fix Version/s: 2.0.0 1.19 Thank you for raising this! We upgraded via TIKA-2681 and look forward to a release of 1.19 later this month or early next. > pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be > upgraded to 2.0.11 > ---------------------------------------------------------------------------------------------- > > Key: TIKA-2686 > URL: https://issues.apache.org/jira/browse/TIKA-2686 > Project: Tika > Issue Type: Bug > Components: core > Affects Versions: 1.17, 1.18 > Reporter: Abhijit Rajwade > Priority: Major > Labels: security > Fix For: 1.19, 2.0.0 > > > Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox > fontbox version 2.0.8 used by Tika 1.17 > Details of the lssue from Sonatype Nexus auditor are as follows. > > Issue > [CVE-2018-8036|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8036] > > Source National Vulnerability Database > > Severity Sonatype CVSS 3.0: 7.5 > > Weakness Sonatype CWE: [400|https://cwe.mitre.org/data/definitions/400.html] > > Description from CVE: > In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted > (or fuzzed) file can trigger an infinite loop which leads to an out of memory > exception in Apache PDFBox's AFMParser. > > Categories Data > > Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11) > > Advisories > Third Party: [https://bugzilla.redhat.com/show_bug.cgi?id=1597490] > Project: https://issues.apache.org/jira/browse/PDFBOX-4251 > Sonatype recommendation is to update pdfbox fontbox to non vulnerable version > 2.0.11 > Can you please update pdfbox fontbox version used by Apache Tika? > --- Abhijit Rajwade > > > > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)