Pat cashman created TIKA-2877:
---------------------------------
Summary: Tika 1.20 suffer from 3 separate CVE vulnerabilities
Key: TIKA-2877
URL: https://issues.apache.org/jira/browse/TIKA-2877
Project: Tika
Issue Type: Bug
Components: app
Affects Versions: 1.20
Environment: These are generic issues.
Reporter: Pat cashman
Tika 1.20 third party dependencies suffer from 3 separate CVE
vulnerabilitiesoutlined below
I am aware that these are already included in a separate ticket which deals
with the generic problem of outdated 3rd party libraries.
[https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854]
At the very least you should update your security page with the details and
potentially release 1.21 to correct these issues..
[https://tika.apache.org/security.html]
*a) GUAVA v_17 -> - CVE-2018-10237*
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1
allows remote attackers to conduct denial of service attacks against servers
[https://nvd.nist.gov/vuln/detail//CVE-2018-10237]
*b) jackson-databind v_2.9.7 -> CVE-2018-19362*
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have
unspecified impact by leveraging failure to block the jboss-common-core class
from polymorphic deserialization.
[https://nvd.nist.gov/vuln/detail/CVE-2018-19362]
*c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346*
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer
overflow (and resultant buffer overflow) for FTS3 queries that occur after
crafted changes to FTS3 shadow tables, allowing remote attackers to execute
arbitrary code by leveraging the ability to run arbitrary SQL statements (such
as in certain WebSQL use cases), aka Magellan.
[https://nvd.nist.gov/vuln/detail/CVE-2018-20346]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
