All, I got the credit wrong for this issue. Rohan Padhye first identified this vulnerability to the Tika team. Tobias Ospelt independently discovered it slightly later.
Credit: This issue was discovered independently using JQF (https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the University of California, Berkeley and later by Tobias Ospelt of modzero AG. On Wed, Sep 19, 2018 at 8:49 AM Tim Allison <[email protected]> wrote: > > CVE-2018-8017: Apache Tika Denial of Service Vulnerability -- > Potential Infinite Loop in IptcAnpaParser > > Severity: Medium > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Tika 1.2 to 1.18 > > Description: > A carefully crafted file can trigger an infinite loop in Apache Tika's > IptcAnpaParser. > > Mitigation: > Apache Tika users should upgrade to 1.19 or later. > > Credit: > This issue was discovered by Tobias Ospelt of modzero AG.
