Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox fontbox version 2.0.8 used by Tika 1.17
Details of the lssue from Sonatype Nexus auditor are as follows.
Source National Vulnerability Database
Severity Sonatype CVSS 3.0: 7.5
Weakness Sonatype CWE: 400
Description from CVE:
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11)
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1597490
Sonatype recommendation is to update pdfbox fontbox to non vulnerable version 2.0.11
Can you please update pdfbox fontbox version used by Apache Tika?
— Abhijit Rajwade