Pat cashman created TIKA-2877: --------------------------------- Summary: Tika 1.20 suffer from 3 separate CVE vulnerabilities Key: TIKA-2877 URL: https://issues.apache.org/jira/browse/TIKA-2877 Project: Tika Issue Type: Bug Components: app Affects Versions: 1.20 Environment: These are generic issues. Reporter: Pat cashman
Tika 1.20 third party dependencies suffer from 3 separate CVE vulnerabilitiesoutlined below I am aware that these are already included in a separate ticket which deals with the generic problem of outdated 3rd party libraries. [https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854] At the very least you should update your security page with the details and potentially release 1.21 to correct these issues.. [https://tika.apache.org/security.html] *a) GUAVA v_17 -> - CVE-2018-10237* Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers [https://nvd.nist.gov/vuln/detail//CVE-2018-10237] *b) jackson-databind v_2.9.7 -> CVE-2018-19362* FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. [https://nvd.nist.gov/vuln/detail/CVE-2018-19362] *c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346* SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. [https://nvd.nist.gov/vuln/detail/CVE-2018-20346] -- This message was sent by Atlassian JIRA (v7.6.3#76005)