CVE-2019-10094 : A carefully crafted package/compressed file that, when unzipped/uncompressed yie

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

Published 2019-08-02 19:15:12

Updated 2020-08-24 17:37:01

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2019-10094

Apache » Tika
Versions from including (>=) 1.7 and up to, including, (<=) 1.21
cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-10094

EPSS FAQ

0.55%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-10094

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-10094

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-10094

https://www.oracle.com/security-alerts/cpujan2020.html

Oracle Critical Patch Update Advisory - January 2020

CVEs referencing this url
https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df541739829232be8a94@%3Cdev.tika.apache.org%3E

Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4} - Pony Mail

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2020.html

Oracle Critical Patch Update Advisory - April 2020

CVEs referencing this url
https://lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d@%3Cdev.tika.apache.org%3E

Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4} - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432c80f8c5eed33d@%3Cdev.tika.apache.org%3E

security fixes for CVE-2019-10088 and CVE-2019-1009{3,4} - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3a3d71fb72ef61@%3Cdev.tika.apache.org%3E

[CVE-2019-10094] StackOverflow from Crafted Package/Compressed Files in Apache Tika's RecursiveParserWrapper - Pony Mail
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E

CVEs (vulnerabilities) that apply to Solr 8.4.1 - Pony Mail

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-10094

Products affected by CVE-2019-10094

Exploit prediction scoring system (EPSS) score for CVE-2019-10094

CVSS scores for CVE-2019-10094

CWE ids for CVE-2019-10094

References for CVE-2019-10094