CVE-2019-10094

moderate-risk

Published 2019-08-02

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later.

Do I need to act?

0.56% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (1)

Tika

Affected Vendors

Apache

References (14)

https://lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b1...

https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df54173...

https://lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432...

https://lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3...

https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee...

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://lists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b1...

https://lists.apache.org/thread.html/da9ee189d1756f8508d0f2386d8e25aca5a6df54173...

https://lists.apache.org/thread.html/fb6c84fd387de997e5e366d50b0ca331a328c466432...

https://lists.apache.org/thread.html/fe876a649d9d36525dd097fe87ff4dcb3b82bb0fbb3...

https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee...

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2020.html

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal