Fabrizio Fortino created OAK-10546: -------------------------------------- Summary: Tika 1.28.5 includes a vulnerable Guava dependency Key: OAK-10546 URL: https://issues.apache.org/jira/browse/OAK-10546 Project: Jackrabbit Oak Issue Type: Improvement Components: oak-search-elastic, oak-solr-core, oak-examples, oak-run Reporter: Fabrizio Fortino
Guava 31.1 has a critical vulnerability [0]. It is included as a transient dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of Tika. Being EOL it won't receive any security-related updates [2]. The work to upgrade to Tika 2.x would require some time. If possible, we should find an alternative solution to avoid including this vulnerable dependency. [0] [https://www.opencve.io/cve/CVE-2023-2976] [1] [https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5] [2] [https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3] -- This message was sent by Atlassian Jira (v8.20.10#820010)