Fabrizio Fortino created OAK-10546:
--------------------------------------
Summary: Tika 1.28.5 includes a vulnerable Guava dependency
Key: OAK-10546
URL: https://issues.apache.org/jira/browse/OAK-10546
Project: Jackrabbit Oak
Issue Type: Improvement
Components: oak-search-elastic, oak-solr-core, oak-examples, oak-run
Reporter: Fabrizio Fortino
Guava 31.1 has a critical vulnerability [0]. It is included as a transient
dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of
Tika. Being EOL it won't receive any security-related updates [2].
The work to upgrade to Tika 2.x would require some time.
If possible, we should find an alternative solution to avoid including this
vulnerable dependency.
[0] [https://www.opencve.io/cve/CVE-2023-2976]
[1] [https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5]
[2] [https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
