CVE-2019-10093

NameCVE-2019-10093
DescriptionIn Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs933745

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tika (PTS)jessie, jessie (lts)1.5-1+deb8u1fixed
buster1.20-1vulnerable
sid, bullseye1.22-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tikasourcejessie(not affected)
tikasource(unstable)1.22-1933745

Notes

[buster] - tika <no-dsa> (Minor issue)
[jessie] - tika <not-affected> (The vulnerable code was introduced later)
https://www.openwall.com/lists/oss-security/2019/08/02/3
https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae

Search for package or bug name: Reporting problems