Answering my own question...
A string search for XSSFExportToXml in the tika 1.22 source tree is not
returning any hits.
The fix for the CVE is done in this specific class (see
https://svn.apache.org/viewvc?view=revision&revision=1867484).
I am then assuming that tika is not exposed since it does not use
XSSFExportToXml.
On 06/11/2019 00:24, Thomas Cherel wrote:
Hi,
tika-parsers has a dependency with Apache POI which is exposed to
CVE-2019-12415: https://nvd.nist.gov/vuln/detail/CVE-2019-12415
Can someone confirm is tika-parsers is exposed to this CVE (which
means if tika-parsers is using the XSSFExportToXml tool/class from
Apache POI)?
Thanks.
