CVE-2018-11796

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/105585	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:3892
https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05%40%3Cdev.tika.apache.org%3E
https://security.netapp.com/advisory/ntap-20190903-0002/

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-10-09 22:29

Updated : 2023-11-07 02:51

NVD link : CVE-2018-11796

Mitre link : CVE-2018-11796

CVE.ORG link : CVE-2018-11796

JSON object : View

Products Affected

apache

tika

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2018-11796", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-10-09T22:29:00.393", "references": [{"url": "http://www.securityfocus.com/bid/105585", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://access.redhat.com/errata/RHSA-2019:3892", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05%40%3Cdev.tika.apache.org%3E", "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20190903-0002/", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later."}, {"lang": "es", "value": "En Apache Tika 1.19 (CVE-2018-11761), se ha a\u00f1adido un l\u00edmite de expansi\u00f3n de entidades para el an\u00e1lisis XML. Sin embargo, Tika reutiliza SAXParsers y llama a reset() tras cada an\u00e1lisis y, en el caso de los analizadores Xerces2, tal y como se indica en la documentaci\u00f3n, elimina el SecurityManager especificado por el usuario y elimina los l\u00edmites de expansi\u00f3n de entidades tras el primer an\u00e1lisis. Por lo tanto, las versiones de la 0.1 a la 1.19 de Apache Tika siguen siendo vulnerables a expansiones de entidades, lo que podr\u00eda conducir a un ataque de denegaci\u00f3n de servicio (DoS). Los usuarios deber\u00edan actualizar a la versi\u00f3n 1.19.1 o posteriores."}], "lastModified": "2023-11-07T02:51:47.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "889B834A-0580-4075-8953-4EAA88DDEACF", "versionEndIncluding": "1.19", "versionStartIncluding": "0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}