[jira] [Created] (TIKA-2855) pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (TIKA-2855) pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable

JIRA jira@apache.org
Abhijit Rajwade created TIKA-2855:
-------------------------------------

             Summary: pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable
                 Key: TIKA-2855
                 URL: https://issues.apache.org/jira/browse/TIKA-2855
             Project: Tika
          Issue Type: Bug
          Components: core
    Affects Versions: 1.19.1
            Reporter: Abhijit Rajwade


As per Sonatype Nexus Auditor, pdfbox versions upto 2.0.14 are vulnerable to
"CVE-2019-0228: possible XML External Entity (XXE) attack".

Recommended fix is to upgrade to pdfbox version 2.0.15
Refer following pdfbox issue
  https://issues.apache.org/jira/browse/PDFBOX-4505 
which is fixed on version 2.0.15

Can you please upgrade Apache Tika to use pdfbox 2.0.15?

Following are details from the Sonatype Nexus scan report

Issue: CVE-2019-0228
Severity: Sonatype CVSS 3.0: 7.3
Weakness: Sonatype CWE: 611
Source: National Vulnerability Database
Categories: Data

Description from CVE: apache pdfbox - XML External Entity (XXE)
Root Cause: pdfbox-2.0.12.jar : ( , 2.0.15)
Advisories:
    Project: https://github.com/apache/pdfbox-docs/commit/b7869c3e4c62c5d...
    Project: https://issues.apache.org/jira/browse/PDFBOX-4505
    Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1699740 
CVSS Details:
    Sonatype CVSS 3.0: 7.3
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)