I assume the text below was for the mailing list; thanks for the
clarification.
I retried building with a jetty 12 version and failed again, and have
updated my comment in the trunk pom.xml file.
Re the CVE link below - "The impact of this vulnerability is limited to
developers that use the Jetty HttpURI directly." we don't use this. We
use "HttpUriRequest" but only in a build test. This would mean we're not
affected.
Tilman
Am 10.12.2025 um 16:58 schrieb Maik Weber:
Many thanks for your efforts!
Seems that the information at NIST is out-dated.
The Jetty project reports the CVE for org.eclipse.jetty:jetty-http :
>=7.0.0, <=12.0.11
https://gitlab.eclipse.org/security/cve-assignment/-/issues/25
Maik
-----Original Message-----
*From*: Tilman Hausherr <[email protected]
<mailto:tilman%20hausherr%20%[email protected]%3e>>
*Reply-To*: [email protected]
*To*: [email protected]
*Subject*: [EXTERNAL] Re: Tika 3.2.2 CVE scan report
*Date*: 12/10/2025 01:53:36 PM
Hi,
According to https://nvd.nist.gov/vuln/detail/cve-2024-6763
jetty is vulnerable up to 9.4.57
We can't update to jetty 12 because of troubles with solrj. I could
make another attempt because it's now another solr version.
Tilman
