[CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app

[Tim Allison <tallison () apache org>]

CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Tika 0.9 to 1.18

Description:
In a rare edge case where a user does not specify an extract directory on
the commandline (--extract-dir=) and the input file has an embedded file
with an absolute path, such as "C:/evil.bat", tika-app would overwrite
that file.

Mitigation:
Apache Tika users should upgrade to 1.19 or later

Credit:
This issue was discovered by Tim Allison on the Apache Tika team.