[TIKA-3488] Security issue XXE in TIKA due to JDOM - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.25
Fix Version/s: 2.2.1
Component/s: tika-server
Labels:
None

Description

Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck Hub has reported this vulnerability CVE-2021-33813 with more detail on the following page.

https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705

Although the following issue is entered, it is not yet fixed and there is no timeline given.

https://github.com/hunterhacker/jdom/issues/189

There are some workaround discussed on this issue. Can this be fixed in TIKA in the meanwhile?

Attachments

Issue Links

duplicates

TIKA-3539 jdom 2.0.6 dependency in tika-parser-news-module has unfixed CVE

Resolved

is related to

TIKA-3492 Upgrade version for TPS: rome to 1.16.0 in tika-bundle

Resolved

is superceded by

TIKA-3635 Upgrade to rome 1.18.0

Resolved

relates to

TIKA-3506 please fix multipile CVE in commons-compress for tika-parsers 1.x too

Open

TIKA-3613 General upgrades for 1.27.1

Open

links to

GitHub Pull Request #468

(1 links to)

Activity

People

Assignee:: Lewis John McGibbney

Reporter:: Arvind Jagtap

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 21/Jul/21 11:18

Updated:: 30/Dec/21 10:45

Resolved:: 30/Dec/21 04:31