Details
Critical Description
Tika 1.20 third party dependencies suffer from 3 separate CVE vulnerabilitiesoutlined below
I am aware that these are already included in a separate ticket which deals with the generic problem of outdated 3rd party libraries. https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854
At the very least you should update your security page with the details and potentially release 1.21 to correct these issues..
https://tika.apache.org/security.html
a) GUAVA v_17 -> - CVE-2018-10237
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers
https://nvd.nist.gov/vuln/detail//CVE-2018-10237
b) jackson-databind v_2.9.7 -> CVE-2018-19362
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
https://nvd.nist.gov/vuln/detail/CVE-2018-19362
c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.