[jira] [Created] (TIKA-3232) security vulnerability in dependencies

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Created] (TIKA-3232) security vulnerability in dependencies

Steve Loughran (Jira)
Shayne Grant created TIKA-3232:

             Summary: security vulnerability in dependencies
                 Key: TIKA-3232
                 URL: https://issues.apache.org/jira/browse/TIKA-3232
             Project: Tika
          Issue Type: Bug
    Affects Versions: 1.24.1
            Reporter: Shayne Grant

Our team runs BlackDuck to find security vulnerabilities and Tika 1.24.1 was flagged in a recent scan for two libraries that it includes.  Here is information about the two libraries which have vulnerabilities and have been recently patched which Tika needs to upgrade to:


Apache HttpClient v4.5.12

The recommendation is to upgrade 4.5.13.  I cannot find a CVE number however the BlackDuck tool has pointed to the following changeset that was made in the 4.5.13 version that addresses the vulnerability



jackson-databind 2.10.3

The recommendation is to upgrade to 2.11.3.  The issue was CVE-2020-25649

This message was sent by Atlassian Jira