Apologies for taking so long to respond. Apache's security team advised us to
open a new CVE to cover the expanded components. We just did this on:
CVE-2025-66516.
Thank you for bringing this to our attention.
Best,
Tim
On 2025/10/29 12:15:09 Tim Allison wrote:
> Good point. Let me check with ASF security.
>
> On Wed, Oct 29, 2025 at 6:04 AM Vladimir Sitnikov
> <[email protected]> wrote:
> >
> > Hi,
> >
> > Could you please update the CVE metadata so it includes both packages:
> > org.apache.tika:tika-parser-pdf-module and org.apache.tika:tika-parsers?
> >
> > Currently, the CVE lists only tika-parser-pdf-module artifact, so the
> > scanners do not
> > detect the vulnerabilities if the software uses 1.x "all in one"
> > tika-parsers.jar
> >
> > I've filed an improvement to GitHub vulnerability database, however,
> > it would be great if you could update the base CVE metadata as well:
> > https://github.com/github/advisory-database/pull/6366
> >
> > Vladimir
>
