I don't think there's much we can do about this. :( That looks like a nasty set of deserialization issues which probably doesn't affect us (?). I haven't looked deeply. The ctakes parser does do a bunch of serialization but, I think, only on data that is configured in tika-config.xml. Based on a quick review, I don't think we'd be vulnerable to crafted user input.
Nevertheless, this is frustrating. On Fri, Nov 10, 2023 at 2:17 AM Tilman Hausherr <[email protected]> wrote: > Builds fail because of a security issue in Apache Uima 3.4.1 > (CVE-2023-39913). This is fixed in 3.5.0 but that one requires jdk17 :-( > > Uima is used because ctakes is used in the Apache Tika natural language > process module. I don't know if CVE-2023-39913 applies to us at all or > if we can mitigate it as described. > > https://ossindex.sonatype.org/vulnerability/CVE-2023-39913 > > Tilman > >
