oss-sec mailing list archives
[CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app
From: Tim Allison <tallison () apache org>
Date: Wed, 19 Sep 2018 08:47:28 -0400
CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tika 0.9 to 1.18 Description: In a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. Mitigation: Apache Tika users should upgrade to 1.19 or later Credit: This issue was discovered by Tim Allison on the Apache Tika team.
Current thread:
- [CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app Tim Allison (Sep 19)