[TIKA-2801] Tika includes 2 vulnerable components - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.20
Fix Version/s: 1.21
Component/s: parser
Labels:
None

Description

Maven audit plugin reports 2 vulnerable components:

com.google.guava:guava:jar:17.0:compile

[CVE-2018-10237] Deserialization of Untrusted Data (5.9); https://ossindex.sonatype.org/vuln/24585a7f-eb6b-4d8d-a2a9-a6f16cc7c1d0

com.google.protobuf:protobuf-java:jar:2.5.0:compile

[CVE-2015-5237] Improper Restriction of Operations within the Bounds of a Memory Buffer (8.8); https://ossindex.sonatype.org/vuln/d47d20ab-eb2a-4cfd-8064-bbf6283649cb

Maybe it worth to add audit plugin to the build/release?

mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml

Attachments

Issue Links

relates to

TIKA-2854 upgrade out-of-date dependencies with outstanding CVEs

Resolved

Activity

People

Assignee:: Tim Allison

Reporter:: Maxim Solodovnik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/Dec/18 04:25

Updated:: 22/Apr/19 19:30

Resolved:: 22/Apr/19 19:29