Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-3232

security vulnerability in dependencies

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.24.1
    • Fix Version/s: 1.25
    • Component/s: None
    • Labels:
      None

      Description

      Our team runs BlackDuck to find security vulnerabilities and Tika 1.24.1 was flagged in a recent scan for two libraries that it includes.  Here is information about the two libraries which have vulnerabilities and have been recently patched which Tika needs to upgrade to:

       

      Apache HttpClient v4.5.12

      The recommendation is to upgrade 4.5.13.  I cannot find a CVE number however the BlackDuck tool has pointed to the following changeset that was made in the 4.5.13 version that addresses the vulnerability

      https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e

       

      jackson-databind 2.10.3

      The recommendation is to upgrade to 2.11.3.  The issue was CVE-2020-25649

        Attachments

          Activity

            People

            • Assignee:
              tallison Tim Allison
              Reporter:
              shgran Shayne Grant
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: