[jira] [Commented] (TIKA-2499) Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components.
[ https://issues.apache.org/jira/browse/TIKA-2499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247704#comment-16247704 ] Nick Burch commented on TIKA-2499: -- The latest Apache Tika release is Apache Tika 1.16. Tika 1.13 was released about 18 months ago. What happens if you upgrade to the latest release, does that solve your auditor issue? > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > -- > > Key: TIKA-2499 > URL: https://issues.apache.org/jira/browse/TIKA-2499 > Project: Tika > Issue Type: Bug >Affects Versions: 1.13 >Reporter: Abhijit Rajwade > Labels: Security > > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > Sr No Vulnerability IDDescription from Nexus Auditor Vulnerable > Third party componentFixed Third party component > 1 SONATYPE-2017-0355 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 20 > Explanation > jackson-core is vulnerable to Denial of Service (DoS). The > _reportInvalidToken() function in the UTF8StreamJsonParser and > ReaderBasedJsonParser classes allows large amounts of extraneous data to be > printed to the server log. An attacker can exploit this vulnerability by > crafting a POST request containing large amounts of data. When the data > contains invalid JSON, an exception is thrown, which results in the > consumption of available disk space when the error message is written to > server.log along with the request data. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6) > tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6) > Advisories > Attack: https://issues.jboss.org/browse/JBEAP-6316 > Project: https://github.com/FasterXML/jackson-core/pull/322 > Jackson > Fixed version: Jackson 2.8.6 or later > 2 SONATYPE-2017-0359 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 22 > Explanation > The Apache httpcomponents component is vulnerable to Directory Traversal. The > normalizePath() function in the URIBuilder class allows directory traversal > characters such as ../. An attacker can exploit this vulnerability by sending > a specially crafted request containing this sequence in the URL path, > allowing the attacker to traverse beyond the allowed directory and retrieve > the contents of arbitrary files from the server, leading to information > disclosure. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3) > Advisories > Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803 > Apache httpcomponents > Fixed Version: Apache httpcomponents 4.5.3 or later > 3 CVE-2017-12620 Issue CVE-2017-12620 > Source National Vulnerability Database > Severity Sonatype CVSS 3.0: 7.3 > Weakness Sonatype CWE: 611 > Description from CVE > When loading models or dictionaries that contain XML it is possible to > perform an XXE attack, since Apache OpenNLP is a library, this only affects > applications that load models or dictionaries from untrusted sources. The > versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache > OpenNLP are affected. > Explanation > Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The > constructor in the ConstitParseSampleStream class, createDOM() function in > the GeneratorFactory class, and the parse() function in the > IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external > entities when processing XML data from models and dictionaries. A remote > attacker can exploit this by submitting specially crafted XML, which can > potentially lead to Denial of Service, Information Disclosure, or other > attacks. > Advisory Deviation Notice > The Sonatype security research team discovered that the vulnerability is > present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions > from 1.5.0 till 1.8.2 as the advisory states. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-bundle-1.13.jar <= openn
[jira] [Commented] (TIKA-2499) Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of vulnerable Third party components.
[ https://issues.apache.org/jira/browse/TIKA-2499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16247714#comment-16247714 ] Abhijit Rajwade commented on TIKA-2499: --- Sonatype Nexus Audior shows that all current Apache tika versions including Apache Tika 1.16 are vulnerable. > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > -- > > Key: TIKA-2499 > URL: https://issues.apache.org/jira/browse/TIKA-2499 > Project: Tika > Issue Type: Bug >Affects Versions: 1.13 >Reporter: Abhijit Rajwade > Labels: Security > > Sonatype Nexus Auditor is reporting that Tika 1.13 is using a number of > vulnerable Third party components. > Sr No Vulnerability IDDescription from Nexus Auditor Vulnerable > Third party componentFixed Third party component > 1 SONATYPE-2017-0355 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 20 > Explanation > jackson-core is vulnerable to Denial of Service (DoS). The > _reportInvalidToken() function in the UTF8StreamJsonParser and > ReaderBasedJsonParser classes allows large amounts of extraneous data to be > printed to the server log. An attacker can exploit this vulnerability by > crafting a POST request containing large amounts of data. When the data > contains invalid JSON, an exception is thrown, which results in the > consumption of available disk space when the error message is written to > server.log along with the request data. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= ReaderBasedJsonParser.class : [2.0.0-RC1, 2.8.6) > tika-app-1.13.jar <= UTF8StreamJsonParser.class : [2.0.0-RC1, 2.8.6) > Advisories > Attack: https://issues.jboss.org/browse/JBEAP-6316 > Project: https://github.com/FasterXML/jackson-core/pull/322 > Jackson > Fixed version: Jackson 2.8.6 or later > 2 SONATYPE-2017-0359 Source Sonatype Data Research > Severity Sonatype CVSS 3.0: 7.5 > Weakness Sonatype CWE: 22 > Explanation > The Apache httpcomponents component is vulnerable to Directory Traversal. The > normalizePath() function in the URIBuilder class allows directory traversal > characters such as ../. An attacker can exploit this vulnerability by sending > a specially crafted request containing this sequence in the URL path, > allowing the attacker to traverse beyond the allowed directory and retrieve > the contents of arbitrary files from the server, leading to information > disclosure. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-app-1.13.jar <= URIBuilder.class : [4.2.1-RC1, 4.5.3) > Advisories > Project: https://issues.apache.org/jira/browse/HTTPCLIENT-1803 > Apache httpcomponents > Fixed Version: Apache httpcomponents 4.5.3 or later > 3 CVE-2017-12620 Issue CVE-2017-12620 > Source National Vulnerability Database > Severity Sonatype CVSS 3.0: 7.3 > Weakness Sonatype CWE: 611 > Description from CVE > When loading models or dictionaries that contain XML it is possible to > perform an XXE attack, since Apache OpenNLP is a library, this only affects > applications that load models or dictionaries from untrusted sources. The > versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache > OpenNLP are affected. > Explanation > Apache OpenNLP is vulnerable to XML External Entity (XXE) attack. The > constructor in the ConstitParseSampleStream class, createDOM() function in > the GeneratorFactory class, and the parse() function in the > IrishSentenceBankDocument and LetsmtDocument classes allows unsafe external > entities when processing XML data from models and dictionaries. A remote > attacker can exploit this by submitting specially crafted XML, which can > potentially lead to Denial of Service, Information Disclosure, or other > attacks. > Advisory Deviation Notice > The Sonatype security research team discovered that the vulnerability is > present in version 1.5.2-incubating-rc1 until 1.8.2, not in all the versions > from 1.5.0 till 1.8.2 as the advisory states. > Detection > The application is vulnerable by using this component. > Recommendation > We recommend upgrading to a version of this component that is not vulnerable > to this specific issue. > Categories > Data > Root Cause > tika-bundle-1.13.jar <= opennlp-tools-1.5.3.jar <= > ConstitParseSampleStream.class : [1.5.3-r
