[
https://issues.apache.org/jira/browse/TIKA-2855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Allison resolved TIKA-2855.
-------------------------------
Resolution: Duplicate
Thank you!
> pdfbox version used by both Apache Tika 1.19.1 and 1.20 is vulnerable
> ---------------------------------------------------------------------
>
> Key: TIKA-2855
> URL: https://issues.apache.org/jira/browse/TIKA-2855
> Project: Tika
> Issue Type: Bug
> Components: core
> Affects Versions: 1.19.1
> Reporter: Abhijit Rajwade
> Priority: Major
>
> As per Sonatype Nexus Auditor, pdfbox versions upto 2.0.14 are vulnerable to
> "CVE-2019-0228: possible XML External Entity (XXE) attack".
> Recommended fix is to upgrade to pdfbox version 2.0.15
> Refer following pdfbox issue
> https://issues.apache.org/jira/browse/PDFBOX-4505
> which is fixed on version 2.0.15
> Can you please upgrade Apache Tika to use pdfbox 2.0.15?
> Following are details from the Sonatype Nexus scan report
> Issue: CVE-2019-0228
> Severity: Sonatype CVSS 3.0: 7.3
> Weakness: Sonatype CWE: 611
> Source: National Vulnerability Database
> Categories: Data
> Description from CVE: apache pdfbox - XML External Entity (XXE)
> Root Cause: pdfbox-2.0.12.jar : ( , 2.0.15)
> Advisories:
> Project: https://github.com/apache/pdfbox-docs/commit/b7869c3e4c62c5d...
> Project: https://issues.apache.org/jira/browse/PDFBOX-4505
> Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1699740
> CVSS Details:
> Sonatype CVSS 3.0: 7.3
> CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
