CVE-2018-11761
CWE-611 — XML External Entity (XXE)CWE-776 — XML Entity Expansion (Billion Laughs)13 documents8 sources
Severity
7.5HIGH
EPSS
11.0%
top 6.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 19
Latest updateOct 17
Description
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
Patches
🔴Vulnerability Details
5GHSA▶
Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack↗2018-10-17
📋Vendor Advisories
4Red Hat
▶
Debian▶
CVE-2018-11761: tika - In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity ...↗2018
💬Community
3Bugzilla▶
CVE-2018-11796 tika: Incomplete fix allows for XML entity expansion resulting in denial of service↗2018-10-15
Bugzilla▶
CVE-2018-11761 tika: XML entity expansion vulnerability due to lack of limit configuration [fedora-all]↗2018-09-24
Bugzilla▶
CVE-2018-11761 tika: XML entity expansion vulnerability due to lack of limit configuration↗2018-09-24