Miggo Logo
Miggo Vulnerability Database
CVE-2018-8017

CVE-2018-8017: Comparison errorr in org.apache.tika:tika-core

5.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-8017
GHSA ID
GHSA-j53j-gmr9-h8g3
EPSS Score
0.87418%
CWE
CWE-835
Published
10/17/2018
Updated
3/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tika:tika-coremaven>= 1.2, < 1.191.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect loop termination conditions in multiple methods of IptcAnpaParser.java. The original code used 'read > value.length' to break loops, which fails to handle the case where 'read' equals the array length. This allows the loop to continue processing past the end of valid data. The patch changed these checks to 'read >= value.length', properly terminating the loop. The affected methods (parseBody and parseFooter) both contained this pattern in their byte array processing loops, making them the root cause of the infinite loop vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** Tik* *.* to *.**, * **r**ully *r**t** *il* **n tri***r *n in*init* loop in t** Ipt**np*P*rs*r.

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t loop t*rmin*tion *on*itions in multipl* m*t*o*s o* Ipt**np*P*rs*r.j*v*. T** ori*in*l *o** us** 'r*** > v*lu*.l*n*t*' to *r**k loops, w*i** **ils to **n*l* t** **s* w**r* 'r***' *qu*ls t** *rr*y l*n*t*. T*is *llo