Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-3600

Upgrade gson version in tika-app

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 1.27
    • 1.28
    • None
    • None

    Description

      The gson package from tika-app is vulnerable due to Deserialization of Untrusted Data. The serializable LazilyParsedNumber, LinkedHashTreeMap, and LinkedTreeMap classes permit unsafe deserialization due to use of the default Serializable.readObject[] implementation.

      CVE : sonatype-2021-1694
      CVSS Details : Sonatype CVSS 3: 7.5CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

      gson-2.8.9 is non-vulnerable version. Please consider upgrading to it in the next release.

      Attachments

        Activity

          People

            Unassigned Unassigned
            shuraut Shubhangi Raut
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: