Date: Wed, 19 Sep 2018 08:47:28 -0400 From: Tim Allison <tallison@...che.org> To: announce@...che.org, dev@...a.apache.org, user@...a.apache.org, Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com Subject: [CVE-2018-11762] Zip Slip Vulnerability in Apache Tika's tika-app CVE-2018-11762: Zip Slip Vulnerability in Apache Tika's tika-app Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tika 0.9 to 1.18 Description: In a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file. Mitigation: Apache Tika users should upgrade to 1.19 or later Credit: This issue was discovered by Tim Allison on the Apache Tika team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.