Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
1.19.1
-
None
-
None
Description
As per Sonatype Nexus Auditor, pdfbox versions upto 2.0.14 are vulnerable to
"CVE-2019-0228: possible XML External Entity (XXE) attack".
Recommended fix is to upgrade to pdfbox version 2.0.15
Refer following pdfbox issue
https://issues.apache.org/jira/browse/PDFBOX-4505
which is fixed on version 2.0.15
Can you please upgrade Apache Tika to use pdfbox 2.0.15?
Following are details from the Sonatype Nexus scan report
Issue: CVE-2019-0228
Severity: Sonatype CVSS 3.0: 7.3
Weakness: Sonatype CWE: 611
Source: National Vulnerability Database
Categories: Data
Description from CVE: apache pdfbox - XML External Entity (XXE)
Root Cause: pdfbox-2.0.12.jar : ( , 2.0.15)
Advisories:
Project: https://github.com/apache/pdfbox-docs/commit/b7869c3e4c62c5d...
Project: https://issues.apache.org/jira/browse/PDFBOX-4505
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1699740
CVSS Details:
Sonatype CVSS 3.0: 7.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attachments
Issue Links
- is related to
-
TIKA-2835 Upgrade to PDFBox 2.0.15 when available
- Resolved