CVE-2019-10093

NameCVE-2019-10093
DescriptionIn Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs933745

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tika (PTS)jessie1.5-1vulnerable
buster1.20-1vulnerable
bullseye, sid1.22-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tikasource(unstable)1.22-1medium933745

Notes

https://www.openwall.com/lists/oss-security/2019/08/02/3
https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae

Search for package or bug name: Reporting problems