Thank you for sharing this with us. We're on the cusp of the vote for releasing 2.8.0. That version of Tika uses jetty 9.4.51.v20230217.
On Mon, May 8, 2023 at 1:05 PM Jason Warren <[email protected]> wrote: > > Hello, > > We are detecting two vulnerabilities in the tika-server-standard-2.7.0.jar > file: > > OutOfMemoryError for large multipart without filename in Eclipse Jetty > GitHub advisory: https://github.com/advisories/GHSA-qw69-rqj8-6qw8 > CVE-2023-26048 - > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048 > > Package Information > Name: org.eclipse.jetty:jetty-server > Package Type: Java > Path: tika-server-standard-2.7.0.jar > Installed Version: 9.4.50.v20221201 > Fixed Version: 9.4.51 > > > Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from > other cookies > GitHub advisory: https://github.com/advisories/GHSA-p26g-97m4-6q7c > CVE-2023-26049 - > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049 > > Package Information > Name: org.eclipse.jetty:jetty-server > Package Type: Java > Path: tika-server-standard-2.7.0.jar > Installed Version: 9.4.50.v20221201 > Fixed Version: 9.4.51 > > > Thank you, > Jason >
