[jira] [Commented] (TIKA-2877) Tika 1.20 suffer from 3 separate CVE vulnerabilities

Thu, 16 May 2019 08:58:41 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16841492#comment-16841492
 ] 

Tim Allison commented on TIKA-2877:
-----------------------------------

Voting is underway for 1.21 : 
https://lists.apache.org/thread.html/2c027535156cc6862149490b289552d72ba5a9bff985fb7cce794e21@%3Cdev.tika.apache.org%3E

I can add a new table for dependency vulnerabilities on our security page.  
Thank you.

> Tika 1.20 suffer from 3 separate CVE vulnerabilities
> ----------------------------------------------------
>
>                 Key: TIKA-2877
>                 URL: https://issues.apache.org/jira/browse/TIKA-2877
>             Project: Tika
>          Issue Type: Bug
>          Components: app
>    Affects Versions: 1.20
>         Environment: These are generic issues.
>            Reporter: Pat cashman
>            Priority: Critical
>
> Tika 1.20 third party dependencies suffer from 3 separate CVE 
> vulnerabilitiesoutlined below
> I am aware that these are already included in a separate ticket which deals 
> with the generic problem of outdated 3rd party libraries. 
> [https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854]
>  At the very least you should update your security page with the details and 
> potentially release 1.21 to correct these issues.. 
> [https://tika.apache.org/security.html]
>  
> *a) GUAVA v_17 -> - CVE-2018-10237*
> Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 
> allows remote attackers to conduct denial of service attacks against servers
> [https://nvd.nist.gov/vuln/detail//CVE-2018-10237]
>  
> *b) jackson-databind v_2.9.7 -> CVE-2018-19362*
> FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have 
> unspecified impact by leveraging failure to block the jboss-common-core class 
> from polymorphic deserialization.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-19362]
>  
> *c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346*
> SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an 
> integer overflow (and resultant buffer overflow) for FTS3 queries that occur 
> after crafted changes to FTS3 shadow tables, allowing remote attackers to 
> execute arbitrary code by leveraging the ability to run arbitrary SQL 
> statements (such as in certain WebSQL use cases), aka Magellan.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-20346]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to