CVE-2019-10093
Allocation of Resources Without Limits or Throttling in Apache Tika
6.5
MEDIUM
CVSS 3.1
EPSS 1.4%
Description
In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.
How to fix CVE-2019-10093
To remediate CVE-2019-10093, upgrade the affected package to a fixed version below.
- Debian/tika—upgrade to 1.22-1 or later
- —upgrade to 1.22 or later
Is CVE-2019-10093 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.22-1
- >= 1.19, < 1.22
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References (10)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10093
- ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-10093
- WEBlists.apache.org/thread.html/39723d8227b248781898c200aa24b154683673287b150a204b83787d@%3Cdev.tika.apache.org%3E
- WEBlists.apache.org/thread.html/a5a44eff1b9eda3bc69d22943a1030c43d376380c75d3ab04d0c1a21@%3Cdev.tika.apache.org%3E