|Category:||Web application abuses|
|Title:||Apache Tika Server XML Entity Expansion Denial of Service Vulnerability|
|Summary:||The host is installed with Apache Tika Server; and is prone to denial of service vulnerability.|
The host is installed with Apache Tika Server
and is prone to denial of service vulnerability.
The flaw exists because apache tika's
XML parsers were not configured to limit entity expansion.
NOTE: In Apache Tika 1.19 (CVE-2018-11761), added an entity expansion
limit for XML parsing. However, Tika reuses SAXParsers and calls reset()
after each parse, which, for Xerces2 parsers, as per the documentation,
removes the user-specified SecurityManager and thus removes entity
expansion limits after the first parse. Apache Tika 1.19 is therefore
still vulnerable to entity expansions.
Successful exploitation will allow remote
attackers to cause a denial of service condition.
Apache Tika Server from versions 0.1 to 1.19
Upgrade to Apache Tika Server 1.19.1 or later.
For updates refer to Reference links.
Common Vulnerability Exposure (CVE) ID: CVE-2018-11761|
Common Vulnerability Exposure (CVE) ID: CVE-2018-11796
|Copyright||Copyright (C) 2018 Greenbone Networks GmbH|
|This is only one of 72306 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.