Candidate: CVE-2018-11796
PublicDate: 2018-10-09 22:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11796
 https://lists.apache.org/thread.html/88de8350cda9b184888ec294c813c5bd8a2081de8fd3666f8904bc05@%3Cdev.tika.apache.org%3E
Description:
 In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit
 for XML parsing. However, Tika reuses SAXParsers and calls reset() after
 each parse, which, for Xerces2 parsers, as per the documentation, removes
 the user-specified SecurityManager and thus removes entity expansion limits
 after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore
 still vulnerable to entity expansions which can lead to a denial of service
 attack. Users should upgrade to 1.19.1 or later.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_tika:
upstream_tika: released (1.19.1)
precise/esm_tika: DNE
trusty_tika: DNE
trusty/esm_tika: DNE
xenial_tika: ignored (end of standard support, was needed)
bionic_tika: needed
cosmic_tika: ignored (reached end-of-life)
disco_tika: ignored (reached end-of-life)
eoan_tika: ignored (reached end-of-life)
focal_tika: needed
groovy_tika: ignored (reached end-of-life)
hirsute_tika: ignored (reached end-of-life)
impish_tika: needed
jammy_tika: needed
devel_tika: needed