[
https://issues.apache.org/jira/browse/TIKA-4687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Diego Rivera updated TIKA-4687:
-------------------------------
Description:
During our security scans, our Tika 3.2.3 container raised the following CVE
issues (fixes listed):
|CVE|Severity|Fix|
|CVE-2026-24308|HIGH|org.apache.zookeeper:zookeeper:3.8.6|
|GHSA-72hv-8253-57qq|HIGH|com.fasterxml.jackson.core:jackson-core:2.21.1|
|CVE-2025-68161|MEDIUM|org.apache.logging.log4j:log4j-core:2.25.3|
|CVE-2025-11226|MEDIUM|ch.qos.logback:logback-core:1.5.19|
|CVE-2026-1225|LOW|ch.qos.logback:logback-core:1.5.25|
Is there any chance that all of the above can be addressed for the next release
(3.2.4)?
In most cases it should be simple enough to update the dependent library's
version in the `pom.xml`. There are two more that I'm not requesting a fix for:
|CVE|Severity|Fix|
|CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
|CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
In the case of these Jetty issues, they would require a jump to Jetty 12 which
in turn requires Java 17, and I suspect there's no desire to raise the Java
baseline to 17 for Tika.
Thanks!
was:
During our security scans, our Tika 3.2.3 container raised the following CVE
issues (fixes listed):
|CVE|Severity|Fix|
|CVE-2026-24308|HIGH|org.apache.zookeeper:zookeeper:3.8.6|
|GHSA-72hv-8253-57qq|HIGH|com.fasterxml.jackson.core:jackson-core:2.21.1|
|CVE-2025-11226|MEDIUM|ch.qos.logback:logback-core:1.5.19|
|CVE-2025-68161|MEDIUM|org.apache.logging.log4j:log4j-core:2.25.3|
|CVE-2026-1225|LOW|ch.qos.logback:logback-core:1.5.25|
Is there any chance that all of the above can be addressed for the next release
(3.2.4)?
In most cases it should be simple enough to update the dependent library's
version in the `pom.xml`. There are two more that I'm not requesting a fix for:
|CVE|Severity|Fix|
|CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
|CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
In the case of these Jetty issues, they would require a jump to Jetty 12 which
in turn requires Java 17, and I suspect there's no desire to raise the Java
baseline to 17 for Tika.
Thanks!
> Multiple CVE security findings in Tika 3.2.3
> --------------------------------------------
>
> Key: TIKA-4687
> URL: https://issues.apache.org/jira/browse/TIKA-4687
> Project: Tika
> Issue Type: Bug
> Components: tika-core, tika-server
> Affects Versions: 3.2.3
> Reporter: Diego Rivera
> Priority: Major
>
> During our security scans, our Tika 3.2.3 container raised the following CVE
> issues (fixes listed):
>
> |CVE|Severity|Fix|
> |CVE-2026-24308|HIGH|org.apache.zookeeper:zookeeper:3.8.6|
> |GHSA-72hv-8253-57qq|HIGH|com.fasterxml.jackson.core:jackson-core:2.21.1|
> |CVE-2025-68161|MEDIUM|org.apache.logging.log4j:log4j-core:2.25.3|
> |CVE-2025-11226|MEDIUM|ch.qos.logback:logback-core:1.5.19|
> |CVE-2026-1225|LOW|ch.qos.logback:logback-core:1.5.25|
> Is there any chance that all of the above can be addressed for the next
> release (3.2.4)?
> In most cases it should be simple enough to update the dependent library's
> version in the `pom.xml`. There are two more that I'm not requesting a fix
> for:
> |CVE|Severity|Fix|
> |CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
> |CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
> In the case of these Jetty issues, they would require a jump to Jetty 12
> which in turn requires Java 17, and I suspect there's no desire to raise the
> Java baseline to 17 for Tika.
> Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
