CVE-2018-11762

CWE-22 — Path Traversal CWE-20 — Improper Input Validation10 documents8 sources

Severity

5.9MEDIUM

EPSS

0.9%

top 24.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tika Apache Software Foundation Apache Tika

Timeline

PublishedSep 19

Latest updateOct 17

Description

In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.tika:tika-core0.9 — 1.19

▶NVDapache/tika0.9 — 1.18

▶CVEListV5apache_software_foundation/apache_tika0.9 to 1.18

▶Debiantika< 1.20-1

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.tika:tika-core↗2018-10-17

▶

OSV

Moderate severity vulnerability that affects org.apache.tika:tika-core↗2018-10-17

▶

OSV

CVE-2018-11762: In Apache Tika 0↗2018-09-19

▶

CVEList

CVE-2018-11762: In Apache Tika 0↗2018-09-19

▶

📋Vendor Advisories

Red Hat

tika: Zip Slip vulnerability in tika-app↗2018-09-19

▶

Debian

CVE-2018-11762: tika - In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an...↗2018

▶

Apache

Apache tika: CVE-2018-11762↗

▶

💬Community

Bugzilla

CVE-2018-11762 tika: Zip Slip vulnerability in tika-app↗2018-09-24

▶

Bugzilla

CVE-2018-11762 tika: Zip Slip vulnerability in tika-app [fedora-all]↗2018-09-24

▶