Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-10546

Tika 1.28.5 references a vulnerable Guava version

    XMLWordPrintableJSON

Details

    Description

      Guava 31.1 has a critical vulnerability [0]. It is included as a transient dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of Tika. Being EOL it won't receive any security-related updates [2].

      The work to upgrade to Tika 2.x would require some time.

      If possible, we should find an alternative solution to avoid including this vulnerable dependency.

      [0] https://www.opencve.io/cve/CVE-2023-2976 

      [1] https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5

      [2] https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3 

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. TIKA-4236 tika-parser-nlp-module has an unnecessary Guava dependency

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. OAK-9752 Update Tika version to 2.x

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          links to

          Web Link GitHub Pull Request #1201

          Activity

            People

              fortino Fabrizio Fortino
              fortino Fabrizio Fortino
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: