[
https://issues.apache.org/jira/browse/TIKA-2686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Allison resolved TIKA-2686.
-------------------------------
Resolution: Duplicate
Fix Version/s: 2.0.0
1.19
Thank you for raising this! We upgraded via TIKA-2681 and look forward to a
release of 1.19 later this month or early next.
> pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be
> upgraded to 2.0.11
> ----------------------------------------------------------------------------------------------
>
> Key: TIKA-2686
> URL: https://issues.apache.org/jira/browse/TIKA-2686
> Project: Tika
> Issue Type: Bug
> Components: core
> Affects Versions: 1.17, 1.18
> Reporter: Abhijit Rajwade
> Priority: Major
> Labels: security
> Fix For: 1.19, 2.0.0
>
>
> Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox
> fontbox version 2.0.8 used by Tika 1.17
> Details of the lssue from Sonatype Nexus auditor are as follows.
>
> Issue
> [CVE-2018-8036|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8036]
>
> Source National Vulnerability Database
>
> Severity Sonatype CVSS 3.0: 7.5
>
> Weakness Sonatype CWE: [400|https://cwe.mitre.org/data/definitions/400.html]
>
> Description from CVE:
> In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted
> (or fuzzed) file can trigger an infinite loop which leads to an out of memory
> exception in Apache PDFBox's AFMParser.
>
> Categories Data
>
> Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11)
>
> Advisories
> Third Party: [https://bugzilla.redhat.com/show_bug.cgi?id=1597490]
> Project: https://issues.apache.org/jira/browse/PDFBOX-4251
> Sonatype recommendation is to update pdfbox fontbox to non vulnerable version
> 2.0.11
> Can you please update pdfbox fontbox version used by Apache Tika?
> --- Abhijit Rajwade
>
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
