Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-10546

Tika 1.28.5 references a vulnerable Guava version

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Guava 31.1 has a critical vulnerability [0]. It is included as a transient dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of Tika. Being EOL it won't receive any security-related updates [2].

      The work to upgrade to Tika 2.x would require some time.

      If possible, we should find an alternative solution to avoid including this vulnerable dependency.

      [0] https://www.opencve.io/cve/CVE-2023-2976 

      [1] https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5

      [2] https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3 

      Attachments

        Issue Links

        is related to

        Bug - A problem which impairs or prevents the functions of the product. TIKA-4236 tika-parser-nlp-module has an unnecessary Guava dependency

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. OAK-9752 Update Tika version to 2.x

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Open
        links to

        Web Link GitHub Pull Request #1201

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            fortino Fabrizio Fortino
            fortino Fabrizio Fortino
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment