www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Allison <talli...@apache.org>
Subject [CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app
Date Wed, 19 Sep 2018 12:47:28 GMT
CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Tika 0.9 to 1.18

Description:
In a rare edge case where a user does not specify an extract directory on
the commandline (--extract-dir=) and the input file has an embedded file
with an absolute path, such as "C:/evil.bat", tika-app would overwrite
that file.

Mitigation:
Apache Tika users should upgrade to 1.19 or later

Credit:
This issue was discovered by Tim Allison on the Apache Tika team.

Mime
View raw message