[jira] [Commented] (TIKA-2561) Tika Parser includes oudated/vulnerable version of JSoup

Tim Allison (JIRA) Wed, 31 Jan 2018 17:09:53 -0800

    [ 
https://issues.apache.org/jira/browse/TIKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347844#comment-16347844
 ]


Tim Allison commented on TIKA-2561:
-----------------------------------

Thank you for opening this, y, edu.ucar:grib:jar:4.5.5 pulls in 1.7.2.  Are we 
actually vulnerable to XSS simply by parsing a file?  I recognize XXE and 
entity expansion attacks are a problem, but XSS?  Thank you, again.

> Tika Parser includes oudated/vulnerable version of JSoup
> --------------------------------------------------------
>
>                 Key: TIKA-2561
>                 URL: https://issues.apache.org/jira/browse/TIKA-2561
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.17
>            Reporter: Asela
>            Priority: Major
>
> org.apache.tika:tika-parsers:1.17 pulls in dependency JSoup 1.7.2.
>  
> JSoup versions older than 1.8.3 have a vulnerability in parsing.
>  
> https://nvd.nist.gov/vuln/detail/CVE-2015-6748



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (TIKA-2561) Tika Parser includes oudated/vulnerable version of JSoup

Reply via email to