2 matches found
CVE-2018-11796
Apache Tika 0.1–1.19 is vulnerable to an entity-expansion denial of service. The root cause is that Xerces2-based SAXParsers reset() after each parse, which removes the user-configured SecurityManager and, per documentation, the entity-expansion limits after the first parse. This means versions f...
Amazon Linux AMI : ruby21 (ALAS-2014-449)
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...