Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-2686

pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be upgraded to 2.0.11

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 1.17, 1.18
    • Fix Version/s: 1.19, 2.0.0
    • Component/s: core
    • Labels:

      Description

      Sonatype Nexus scan on Apach Tika 1.18 reports CVE-2018-8036 on pdfbox fontbox version 2.0.8 used by Tika 1.17

      Details of the lssue from Sonatype Nexus auditor are as follows.

       
      Issue CVE-2018-8036
       
      Source National Vulnerability Database
       
      Severity Sonatype CVSS 3.0: 7.5
       
      Weakness Sonatype CWE: 400
       
      Description from CVE:
      In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
       
      Categories Data
       
      Root Cause fontbox-2.0.8.jar : [2.0.0, 2.0.11)
       
      Advisories
      Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1597490
      Project: https://issues.apache.org/jira/browse/PDFBOX-4251

      Sonatype recommendation is to update pdfbox fontbox to non vulnerable version 2.0.11

      Can you please update pdfbox fontbox version used by Apache Tika?

      — Abhijit Rajwade
       
       

       

       

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              arajwade Abhijit Rajwade
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: