CVE-2018-11796

EPSS 6.9%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 6.9%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

09 Oct 2018Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Affected products

Apache Software Foundation · Apache Tika

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2019:3892 https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05%40%3Cdev.tika.apache.org%3E https://security.netapp.com/advisory/ntap-20190903-0002/http://www.securityfocus.com/bid/105585