In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "12.1.3.0.0"
},
{
"last_affected": "12.1.3.0.0"
},
{
"introduced": "12.2.1.3.0"
},
{
"last_affected": "12.2.1.3.0"
}
],
"source": "CPE_STRING",
"vendor_product": "oracle:business_process_management_suite",
"cpes": [
"cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*"
]
}
]
}