[
https://issues.apache.org/jira/browse/OAK-10546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated OAK-10546:
---------------------------------
Summary: Tika 1.28.5 references a vulnerable Guava version (was: Tika
1.28.5 includes a vulnerable Guava dependency)
> Tika 1.28.5 references a vulnerable Guava version
> -------------------------------------------------
>
> Key: OAK-10546
> URL: https://issues.apache.org/jira/browse/OAK-10546
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: oak-examples, oak-run, oak-search-elastic, oak-solr-core
> Reporter: Fabrizio Fortino
> Assignee: Fabrizio Fortino
> Priority: Major
>
> Guava 31.1 has a critical vulnerability [0]. It is included as a transient
> dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of
> Tika. Being EOL it won't receive any security-related updates [2].
> The work to upgrade to Tika 2.x would require some time.
> If possible, we should find an alternative solution to avoid including this
> vulnerable dependency.
> [0] [https://www.opencve.io/cve/CVE-2023-2976]
> [1] [https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5]
> [2] [https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
