CVE-2018-11761
Description
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tika 0.1 to 1.18 XML parsers are vulnerable to entity expansion, leading to denial of service via crafted XML.
Vulnerability
In Apache Tika versions 0.1 through 1.18, the XML parsers were not configured to limit entity expansion, making them susceptible to an XML entity expansion (billion laughs) attack. This affects all components using XML parsing. [1][2]
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted XML file to an affected Tika instance (e.g., via uploaded documents). No authentication is required. The attack involves sending a small XML payload that expands exponentially, consuming server memory and CPU. [1][2]
Impact
Successful exploitation leads to a denial of service (DoS) condition, as the server becomes unresponsive due to resource exhaustion. The vulnerability does not lead to code execution or data disclosure. [1][2]
Mitigation
The vulnerability is fixed in Apache Tika version 1.19.1. Users should upgrade to 1.19.1 or later. No workarounds are documented for earlier versions. [2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tika:tika-coreMaven | >= 0.1, < 1.19.1 | 1.19.1 |
Affected products
29- ghsa-coords28 versionspkg:maven/org.apache.tika/tika-corepkg:rpm/suse/apache-mybatis&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/hadoop&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/image-sync-formula&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/lucene&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/nekohtml&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/nutch-core&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/picocontainer&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/python-susemanager-retail&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/salt-netapi-client&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-config&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-search&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%203.2pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-frontend-libs&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/susemanager-sync-data&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%203.2
>= 0.1, < 1.19.1+ 27 more
- (no CPE)range: >= 0.1, < 1.19.1
- (no CPE)range: < 3.2.3-3.3.3
- (no CPE)range: < 2.6.6-6.10.3
- (no CPE)range: < 0.18.1-3.3.3
- (no CPE)range: < 0.1.1542287363.b8aa274-3.6.3
- (no CPE)range: < 2.4.1-4.3.3
- (no CPE)range: < 1.9.21-3.3.3
- (no CPE)range: < 1.0.1-7.10.3
- (no CPE)range: < 1.3.7-3.3.3
- (no CPE)range: < 1.0.1542643545.8752d17-2.6.3
- (no CPE)range: < 0.1.1542287363.b8aa274-3.6.3
- (no CPE)range: < 0.15.0-4.3.3
- (no CPE)range: < 2.8.25.7-3.9.3
- (no CPE)range: < 2.8.5.12-3.10.4
- (no CPE)range: < 2.8.5.5-3.10.3
- (no CPE)range: < 2.8.78.13-3.13.1
- (no CPE)range: < 2.8.3.7-3.12.3
- (no CPE)range: < 2.8.7.5-3.10.3
- (no CPE)range: < 2.8.18.3-3.3.3
- (no CPE)range: < 2.8.7.11-3.13.3
- (no CPE)range: < 2.8.7.11-3.13.3
- (no CPE)range: < 3.2.14-3.13.3
- (no CPE)range: < 3.2-11.12.3
- (no CPE)range: < 3.2.4-3.7.3
- (no CPE)range: < 3.2.15-3.13.3
- (no CPE)range: < 3.2.18-3.13.3
- (no CPE)range: < 3.2.10-3.9.3
- (no CPE)range: < 1.19.1-3.3.3
- Apache Software Foundation/Apache Tikav5Range: 0.1 to 1.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-6jq2-789q-fff2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11761ghsaADVISORY
- www.securityfocus.com/bid/105514ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421%40%3Cdev.tika.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/5553e10bba5604117967466618f219c0cae710075819c70cfb3fb421@%3Cdev.tika.apache.org%3EghsaWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.