CVE-2019-10093

NameCVE-2019-10093
DescriptionIn Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs933745

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tika (PTS)jessie1.5-1fixed
buster1.20-1vulnerable
bullseye, sid1.22-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tikasource(unstable)1.22-1933745
tikasourcejessie(not affected)

Notes

[buster] - tika <no-dsa> (Minor issue)
[jessie] - tika <not-affected> (The vulnerable code was introduced later)
https://www.openwall.com/lists/oss-security/2019/08/02/3
https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae

Search for package or bug name: Reporting problems