Hi,
According to https://nvd.nist.gov/vuln/detail/cve-2024-6763
jetty is vulnerable up to 9.4.57
We can't update to jetty 12 because of troubles with solrj. I could make
another attempt because it's now another solr version.
Tilman
Am 10.12.2025 um 12:14 schrieb Maik Weber:
Hi,
Our CVE scan reports the same CVE-2024-6763 issue for Apache Tika 3.2.3.
The versions of Eclipse Jetty 7.0.0 - 12.0.11 are known to be affected
by CVE-2024-6763:
https://www.cve.org/CVERecord?id=CVE-2024-6763
As stated, Apache Tika 3.2.3 includes Jetty 11.0.26
Now, Eclipse Jetty 12.0.12 resolves the issue. The latest version of
Eclipse Jetty is 12.0.31
So, to resolve this (and other) issues, the security-vulnerable
version has to be replaced by the latest version.
When will the included version of Jetty be updated in Apache Tika?
Greetings
Maik
On 2025/11/26 11:51:35 Tilman Hausherr wrote:
> Hi,
>
> The current version is 3.2.3 and that one uses 11.0.26.
>
> Tilman
>
> Am 26.11.2025 um 12:46 schrieb Saravanan Balakrishnan:
> > Thanks for the mail. Is there plan to fix for CVE-2024-6763
> > jetty-http-11.0.25.jar file used in the Tika 3.2.2,
> > https://nvd.nist.gov/vuln/detail/cve-2024-6763
> > Regards,
> > Saravanan B
