CVE-2018-11761

HIGH

Apache Tika < 1.18 - XXE

Title source: rule

Description

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

Exploits (1)

nomisec WORKING POC 9 stars

by brianwrf · poc

https://github.com/brianwrf/CVE-2018-11761

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105514

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

[Mailing List] https://lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421%40%3Cdev.tika.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.1103

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-611

Status published

Products (4)

apache/tika 0.1 - 1.18

oracle/business_process_management_suite 12.1.3.0.0

oracle/business_process_management_suite 12.2.1.3.0

org.apache.tika/tika-core 0.1 - 1.19.1Maven

Published Sep 19, 2018

Tracked Since Feb 18, 2026