[
https://issues.apache.org/jira/browse/TIKA-4687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Diego Rivera closed TIKA-4687.
------------------------------
Fix Version/s: 3.3.0
Resolution: Fixed
The next 3.x release is coming in the next couple of weeks, which renders this
moot.
> Multiple CVE security findings in Tika 3.2.3
> --------------------------------------------
>
> Key: TIKA-4687
> URL: https://issues.apache.org/jira/browse/TIKA-4687
> Project: Tika
> Issue Type: Bug
> Components: tika-core, tika-server
> Affects Versions: 3.2.3
> Reporter: Diego Rivera
> Priority: Major
> Fix For: 3.3.0
>
>
> During our security scans, our Tika 3.2.3 container raised the following CVE
> issues (fixes listed):
>
> |CVE|Severity|Fix|
> |CVE-2026-24308|HIGH|org.apache.zookeeper:zookeeper:3.8.6|
> |GHSA-72hv-8253-57qq|HIGH|com.fasterxml.jackson.core:jackson-core:2.21.1|
> |CVE-2025-68161|MEDIUM|org.apache.logging.log4j:log4j-core:2.25.3|
> |CVE-2025-11226|MEDIUM|ch.qos.logback:logback-core:1.5.19|
> |CVE-2026-1225|LOW|ch.qos.logback:logback-core:1.5.25|
> Is there any chance that all of the above can be addressed for the next
> release (3.2.4)?
> In most cases it should be simple enough to update the dependent library's
> version in the `pom.xml`. There are two more that I'm not requesting a fix
> for:
> |CVE|Severity|Fix|
> |CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
> |CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
> In the case of these Jetty issues, they would require a jump to Jetty 12
> which in turn requires Java 17, and I suspect there's no desire to raise the
> Java baseline to 17 for Tika.
> Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
