XML External Entity (XXE) Injection in tika | CVE-2018-11796

Q: How to fix?

There is no fixed version for Ubuntu:21.04 tika .

Threat Intelligence

1.94% (89^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-UBUNTU2104-TIKA-1271203
published9 Oct 2018
disclosed9 Oct 2018

Report a new vulnerability Found a mistake?

Introduced: 9 Oct 2018

CVE-2018-11796 (opens in a new tab) CWE-611 (opens in a new tab)

How to fix?

There is no fixed version for Ubuntu:21.04 tika.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tika package and not the tika package as distributed by Ubuntu. See How to fix? for Ubuntu:21.04 relevant fixed versions and status.

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

XML External Entity (XXE) Injection Affecting tika package, versions *

Severity