Lucene search

GitHub Advisory DatabaseGHSA-W6G3-V46Q-5P28

HistoryOct 17, 2018 - 3:49 p.m.

Moderate severity vulnerability that affects org.apache.tika:tika-core

2018-10-1715:49:58

CWE-22

GitHub Advisory Database

github.com

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

42.4%

JSON

In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (–extract-dir=) and the input file has an embedded file with an absolute path, such as “C:/evil.bat”, tika-app would overwrite that file.

Affected configurations

Vulners

Node

org.apache.tika\tikaMatchcore

VendorProductVersionCPE
org.apache.tika\tikacorecpe:2.3:a:org.apache.tika\:tika:core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.tika\	tika	core	cpe:2.3:a:org.apache.tika\:tika:core::::::::

References

www.securityfocus.com/bid/105515

github.com/advisories/GHSA-w6g3-v46q-5p28

lists.apache.org/thread.html/ab2e1af38975f5fc462ba89b517971ef892ec3d06bee12ea2258895b@%3Cdev.tika.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2018-11762

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

42.4%

JSON

Related for GHSA-W6G3-V46Q-5P28