Moderate severityNVD Advisory· Published Dec 24, 2018· Updated Aug 5, 2024

CVE-2018-17197

Description

A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A specially crafted SQLite file causes an infinite loop in Apache Tika's SQLite3Parser (1.8-1.19.1), leading to denial of service.

Vulnerability

Apache Tika versions 1.8 through 1.19.1 contain a denial of service vulnerability in the SQLite3Parser component. A carefully crafted or corrupt SQLite file can trigger an infinite loop when the parser attempts to process it, causing the application to hang or exhaust resources. The affected versions are those using the tika-parsers module [1][2].

Exploitation

An attacker requires the ability to supply a malicious SQLite file to Apache Tika for parsing. This can be achieved through any mechanism where Tika processes user-uploaded or externally provided files, such as a document conversion service or content extraction pipeline. No authentication or special privileges are needed; the attacker simply provides the crafted file as input [1][2].

Impact

Successful exploitation results in a denial of service condition. The infinite loop prevents the parser from completing its task, consuming CPU resources potentially indefinitely, and may cause the application to become unresponsive. The impact is limited to availability; there is no evidence of information disclosure, data corruption, or remote code execution [1][2].

Mitigation

The vulnerability is fixed in Apache Tika version 1.20, which was released in December 2018. Users should upgrade to version 1.20 or later. There is no known workaround for earlier versions. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [1][2].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tika:tika-parsersMaven	>= 1.8, < 1.20	1.20

Affected products

ghsa-coords41 versions
pkg:maven/org.apache.tika/tika-parsers pkg:rpm/suse/branch-network-formula&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/netty&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/py26-compat-salt&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/python-susemanager-retail&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/saltboot-formula&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/smdba&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-admin&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Proxy%203.2 pkg:rpm/suse/spacewalk-backend&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/spacewalk-branding&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Proxy%203.2 pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/spacewalk-java&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-proxy-installer&distro=SUSE%20Manager%20Proxy%203.2 pkg:rpm/suse/spacewalk-setup&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/spacewalk-utils&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%203.1 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Proxy%203.2 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/spacewalk-web&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/subscription-matcher&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/susemanager&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/susemanager-docs_en&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-frontend-libs&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/susemanager-schema&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-sls&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/susemanager-sync-data&distro=SUSE%20Manager%20Server%203.2 pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%203.1 pkg:rpm/suse/tika-core&distro=SUSE%20Manager%20Server%203.2
>= 1.8, < 1.20+ 40 more
- (no CPE)range: >= 1.8, < 1.20
- (no CPE)range: < 0.1.1545038754.c983fa6-3.6.13
- (no CPE)range: < 2.6.6-5.25.1
- (no CPE)range: < 4.1.8.Final-2.7.4
- (no CPE)range: < 2016.11.10-1.19.3
- (no CPE)range: < 2016.11.10-6.18.14
- (no CPE)range: < 1.0.1544459934.07229ad-2.9.13
- (no CPE)range: < 0.1.1546527519.591e925-3.9.13
- (no CPE)range: < 1.6.3-0.3.6.13
- (no CPE)range: < 2.7.8.15-2.32.1
- (no CPE)range: < 2.8.25.8-3.12.13
- (no CPE)range: < 2.8.4.3-3.3.13
- (no CPE)range: < 2.8.57.8-3.10.14
- (no CPE)range: < 2.8.57.8-3.10.14
- (no CPE)range: < 2.7.2.17-2.31.3
- (no CPE)range: < 2.8.5.13-3.13.14
- (no CPE)range: < 2.8.22.4-3.3.13
- (no CPE)range: < 2.8.22.4-3.3.13
- (no CPE)range: < 2.7.46.19-2.41.3
- (no CPE)range: < 2.8.78.18-3.21.1
- (no CPE)range: < 2.8.6.4-3.6.13
- (no CPE)range: < 2.8.7.6-3.13.13
- (no CPE)range: < 2.7.10.11-2.23.3
- (no CPE)range: < 2.8.18.4-3.6.13
- (no CPE)range: < 2.7.1.21-2.35.1
- (no CPE)range: < 2.8.7.12-3.16.12
- (no CPE)range: < 2.7.1.21-2.35.1
- (no CPE)range: < 2.8.7.12-3.16.12
- (no CPE)range: < 0.22-4.9.2
- (no CPE)range: < 0.22-4.9.13
- (no CPE)range: < 3.1.19-2.34.2
- (no CPE)range: < 3.2.15-3.16.13
- (no CPE)range: < 3.1-10.29.4
- (no CPE)range: < 3.2-11.15.12
- (no CPE)range: < 3.1.2-3.10.1
- (no CPE)range: < 3.1.21-2.36.1
- (no CPE)range: < 3.2.16-3.16.13
- (no CPE)range: < 3.2.20-3.18.1
- (no CPE)range: < 3.2.12-3.14.2
- (no CPE)range: < 1.20-1.6.2
- (no CPE)range: < 1.20-3.6.13
Apache Software Foundation/Apache Tikav5
Range: Apache Tika 1.8-1.19.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-3448-vfvv-xp9gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-17197ghsaADVISORY
www.securityfocus.com/bid/106293ghsavdb-entryx_refsource_BIDWEB
lists.apache.org/thread.html/7c021a4ea2037e52e74628e17e8e0e2acab1f447160edc8be0eae6d3%40%3Cdev.tika.apache.org%3Emitrex_refsource_MISC
lists.apache.org/thread.html/7c021a4ea2037e52e74628e17e8e0e2acab1f447160edc8be0eae6d3@%3Cdev.tika.apache.org%3EghsaWEB
lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000