Tim Allison
2018-09-19 12:47:28 UTC
CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.9 to 1.18
Description:
In a rare edge case where a user does not specify an extract directory on
the commandline (--extract-dir=) and the input file has an embedded file
with an absolute path, such as "C:/evil.bat", tika-app would overwrite
that file.
Mitigation:
Apache Tika users should upgrade to 1.19 or later
Credit:
This issue was discovered by Tim Allison on the Apache Tika team.
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Tika 0.9 to 1.18
Description:
In a rare edge case where a user does not specify an extract directory on
the commandline (--extract-dir=) and the input file has an embedded file
with an absolute path, such as "C:/evil.bat", tika-app would overwrite
that file.
Mitigation:
Apache Tika users should upgrade to 1.19 or later
Credit:
This issue was discovered by Tim Allison on the Apache Tika team.