Uploaded image for project: 'Tika'
  1. Tika
  2. TIKA-3232

security vulnerability in dependencies

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.24.1
    • 1.25
    • None
    • None

    Description

      Our team runs BlackDuck to find security vulnerabilities and Tika 1.24.1 was flagged in a recent scan for two libraries that it includes.  Here is information about the two libraries which have vulnerabilities and have been recently patched which Tika needs to upgrade to:

       

      Apache HttpClient v4.5.12

      The recommendation is to upgrade 4.5.13.  I cannot find a CVE number however the BlackDuck tool has pointed to the following changeset that was made in the 4.5.13 version that addresses the vulnerability

      https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e

       

      jackson-databind 2.10.3

      The recommendation is to upgrade to 2.11.3.  The issue was CVE-2020-25649

      Attachments

        Activity

          People

            tallison Tim Allison
            shgran Shayne Grant
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: