CVE-2018-1339

Impact:
Moderate
Public Date:
2018-04-25
CWE:
CWE-835
Bugzilla:
1572424: CVE-2018-1339 tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service

The MITRE CVE dictionary describes this issue as:

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Find out more about CVE-2018-1339 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of tika which is embedded in the nutch package as shipped with Red Hat Satellite 5. The tika server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score 6.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Fuse 7 RHSA-2018:2669 2018-09-11

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-eclipse46-tika Not affected
Red Hat Satellite 5 tika Will not fix
Red Hat JBoss Fuse Service Works 6 tika-core Not affected
Red Hat JBoss Data Virtualization 6 tika-core Will not fix
Red Hat JBoss BRMS 6 tika-core Will not fix
Red Hat JBoss BRMS 5 tika-core Will not fix
Red Hat JBoss BPMS 6 tika-core Will not fix
Red Hat Enterprise Linux 8 tika Will not fix

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation