Abhijit Rajwade created TIKA-2855:
-------------------------------------
Summary: pdfbox version used by both Apache Tika 1.19.1 and 1.20
is vulnerable
Key: TIKA-2855
URL: https://issues.apache.org/jira/browse/TIKA-2855
Project: Tika
Issue Type: Bug
Components: core
Affects Versions: 1.19.1
Reporter: Abhijit Rajwade
As per Sonatype Nexus Auditor, pdfbox versions upto 2.0.14 are vulnerable to
"CVE-2019-0228: possible XML External Entity (XXE) attack".
Recommended fix is to upgrade to pdfbox version 2.0.15
Refer following pdfbox issue
https://issues.apache.org/jira/browse/PDFBOX-4505
which is fixed on version 2.0.15
Can you please upgrade Apache Tika to use pdfbox 2.0.15?
Following are details from the Sonatype Nexus scan report
Issue: CVE-2019-0228
Severity: Sonatype CVSS 3.0: 7.3
Weakness: Sonatype CWE: 611
Source: National Vulnerability Database
Categories: Data
Description from CVE: apache pdfbox - XML External Entity (XXE)
Root Cause: pdfbox-2.0.12.jar : ( , 2.0.15)
Advisories:
Project: https://github.com/apache/pdfbox-docs/commit/b7869c3e4c62c5d...
Project: https://issues.apache.org/jira/browse/PDFBOX-4505
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1699740
CVSS Details:
Sonatype CVSS 3.0: 7.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
