[ https://issues.apache.org/jira/browse/TIKA-2716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603335#comment-16603335 ]
Konstantin Gribov commented on TIKA-2716: ----------------------------------------- Won't Fix because {{spring-*}} is excluded from dependency tree now (see TIKA-2721) > Sonatype Nexus auditor is reporting that spring framework vesrion used by > Tika 1.18 is vulnerable > ------------------------------------------------------------------------------------------------- > > Key: TIKA-2716 > URL: https://issues.apache.org/jira/browse/TIKA-2716 > Project: Tika > Issue Type: Bug > Components: core > Affects Versions: 1.18 > Reporter: Abhijit Rajwade > Assignee: Konstantin Gribov > Priority: Major > Fix For: 2.0, 1.19 > > > Sonatype Nexus auditor is reporting that spring framework version used by > Apache Tika 1.18 is vulnerable. Recommendation is to upgrade to a non > vulnerable version of Spring framework - 4.3.15/later or 5.0.5/later > > Refer following details > > Issue > [CVE-2018-1270|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1270] > > Source National Vulnerability Database > > Severity > CVE CVSS 3.0: 9.8 > CVE CVSS 2.0: 7.5 > Sonatype CVSS 3.0: 9.8 > > Weakness > CVE CWE: [358|https://cwe.mitre.org/data/definitions/358.html] > > Description from CVE > Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to > 4.3.15 and older unsupported versions, allow applications to expose STOMP > over WebSocket endpoints with a simple, in-memory STOMP broker through the > spring-messaging module. A malicious user (or attacker) can craft a message > to the broker that can lead to a remote code execution attack. > Explanation > The Spring Framework {{spring-messaging}} module is vulnerable to Remote Code > Execution (RCE). The {{getMethods()}} method in the > {{ReflectiveMethodResolver}} class, the {{canWrite}} method in the > {{ReflectivePropertyAccessor}} class, and the {{filterSubscriptions()}} > method in the {{DefaultSubscriptionRegistry}} class do not properly restrict > SpEL expression evaluation. A remote attacker can exploit this vulnerability > by crafting a request to an exposed STOMP endpoint and injecting a malicious > payload into the {{selector}} header. The application would then execute the > payload via a call to {{expression.getValue()}} whenever a new message is > sent to the broker. > > Detection > The application is vulnerable by using this component. > > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.18.jar *<=* ReflectivePropertyAccessor.class : [3.0.0.RELEASE , > 4.3.15.RELEASE) > tika-app-1.18.jar *<=* ReflectiveMethodResolver.class : [3.0.0.RELEASE , > 4.3.15.RELEASE) > > Advisories > Attack: [http://www.polaris-lab.com/index.php/archives/501/] > Attack: > [https://chybeta.github.io/2018/04/07/spring-messaging-Remote...|https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/] > Project: [https://jira.spring.io/browse/SPR-16588] > -- This message was sent by Atlassian JIRA (v7.6.3#76005)