Vulnerability Name: | CVE-2018-11762 (CCN-150100) | ||||||||||||||||||||||||||||||||
Assigned: | 2018-09-19 | ||||||||||||||||||||||||||||||||
Published: | 2018-09-19 | ||||||||||||||||||||||||||||||||
Updated: | 2018-11-20 | ||||||||||||||||||||||||||||||||
Summary: | In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. | ||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P)
| ||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-22 | ||||||||||||||||||||||||||||||||
Vulnerability Consequences: | File Manipulation | ||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2018-11762 Source: BID Type: Third Party Advisory, VDB Entry 105515 Source: CCN Type: BID-105515 Apache Tika CVE-2018-11762 Arbitrary File Overwrite Vulnerability Source: XF Type: UNKNOWN apache-tika-cve201811762-file-overwrite(150100) Source: CCN Type: Apache Web site CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app Source: MLIST Type: Mailing List, Vendor Advisory [tika-dev] 20180919 [CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app Source: CCN Type: oss-sec Mailing List, Wed, 19 Sep 2018 08:47:28 -0400 [CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app Source: CCN Type: IBM Security Bulletin 888135 (QRadar SIEM) IBM QRadar Incident Forensics is vulnerable to publicly disclosed vulnerabilities from Apache Tika (CVE-2018-11761, CVE-2018-11762, CVE-2018-8017, CVE-2018-11796) Source: CCN Type: IBM Security Bulletin 6524700 (Planning Analytics Workspace) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: WhiteSource Vulnerability Database CVE-2018-11762 | ||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
BACK |