You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Kenneth William Krugler (Jira)" <ji...@apache.org> on 2022/01/24 22:14:00 UTC
[jira] [Commented] (TIKA-2829) Security Vulnerability in boilerpipe (CVE-2018-16481)
[ https://issues.apache.org/jira/browse/TIKA-2829?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17481434#comment-17481434 ]
Kenneth William Krugler commented on TIKA-2829:
-----------------------------------------------
Hi Alex - I took a look at the CVE, and from what I can tell it's Javascript code in the [html-pages|https://github.com/danielcardoso/html-pages] package that isn't sanitizing paths properly. html-pages is a development http server, so I can't see any way that the Boilerpipe Java code would be impacted.
If you can clarify, that would be great. If we don't hear back, I'll assume this is not a bug and close the issue, thanks.
> Security Vulnerability in boilerpipe (CVE-2018-16481)
> -----------------------------------------------------
>
> Key: TIKA-2829
> URL: https://issues.apache.org/jira/browse/TIKA-2829
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.20
> Reporter: Alex LI
> Priority: Major
>
> org.apache.tika:tika-parsers:1.20 depending on boilerpipe, which the dependency reflections uses.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-16481]
> h3. Current Description
> A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
> ==========================
> [info] de.l3s.boilerpipe:boilerpipe:1.1.0
> [info] +-org.apache.tika:tika-parsers:1.20
--
This message was sent by Atlassian Jira
(v8.20.1#820001)