Denial of Service in Apache Tika Versions 1.19 to 1.21
CVE-2019-10093

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tika
Vendor: CVE Published:; 2 August 2019

🔔 Create Apache Vulnerability Alert

What is CVE-2019-10093?

In versions 1.19 to 1.21 of Apache Tika, a vulnerability exists that allows a specially crafted 2003ml or 2006ml file to consume all available SAXParsers. This can result in significant application hangs, impacting the availability and performance of services utilizing this library. Users are advised to upgrade to version 1.22 or later to mitigate this issue.

Affected Version(s)

Apache Tika 1.19 to 1.21

References

https://lists.apache.org/thread.html/a5a44eff1b9eda3bc69d...

x_refsource_CONFIRM

https://lists.apache.org/thread.html/fb6c84fd387de997e5e3...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/da9ee189d1756f8508d0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2019
Vulnerability Reserved
Mar 26, 2019

.