Tika itself does not use that class, but it is a vuln if any of your client code calls it, obviously. We're discussing the 1.23 release that includes the latest version of POI.
On Tue, Nov 5, 2019 at 7:07 PM Thomas Cherel <[email protected]> wrote: > Answering my own question... > > A string search for XSSFExportToXml in the tika 1.22 source tree is not > returning any hits. > The fix for the CVE is done in this specific class (see > https://svn.apache.org/viewvc?view=revision&revision=1867484). > > I am then assuming that tika is not exposed since it does not use > XSSFExportToXml. > > On 06/11/2019 00:24, Thomas Cherel wrote: > > Hi, > > > > tika-parsers has a dependency with Apache POI which is exposed to > > CVE-2019-12415: https://nvd.nist.gov/vuln/detail/CVE-2019-12415 > > > > Can someone confirm is tika-parsers is exposed to this CVE (which > > means if tika-parsers is using the XSSFExportToXml tool/class from > > Apache POI)? > > > > Thanks. > > > >
