Re: [CVE-2018-8017] Apache Tika Denial of Service Vulnerability -- Potential Infinite Loop in IptcAnpaParser
I got the credit wrong for this issue. Rohan Padhye first
identified this vulnerability to the Tika team. Tobias Ospelt
independently discovered it slightly later.
This issue was discovered independently using JQF
(https://github.com/rohanpadhye/jqf), first by Rohan Padhye at the
University of California,
Berkeley and later by Tobias Ospelt of modzero AG.
> CVE-2018-8017: Apache Tika Denial of Service Vulnerability --
> Potential Infinite Loop in IptcAnpaParser
> Severity: Medium
> The Apache Software Foundation
> Versions Affected:
> Apache Tika 1.2 to 1.18
> A carefully crafted file can trigger an infinite loop in Apache Tika's
> Apache Tika users should upgrade to 1.19 or later.
> This issue was discovered by Tobias Ospelt of modzero AG.