[ https://issues.apache.org/jira/browse/TIKA-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16841492#comment-16841492 ]
Tim Allison commented on TIKA-2877: ----------------------------------- Voting is underway for 1.21 : https://lists.apache.org/thread.html/2c027535156cc6862149490b289552d72ba5a9bff985fb7cce794e21@%3Cdev.tika.apache.org%3E I can add a new table for dependency vulnerabilities on our security page. Thank you. > Tika 1.20 suffer from 3 separate CVE vulnerabilities > ---------------------------------------------------- > > Key: TIKA-2877 > URL: https://issues.apache.org/jira/browse/TIKA-2877 > Project: Tika > Issue Type: Bug > Components: app > Affects Versions: 1.20 > Environment: These are generic issues. > Reporter: Pat cashman > Priority: Critical > > Tika 1.20 third party dependencies suffer from 3 separate CVE > vulnerabilitiesoutlined below > I am aware that these are already included in a separate ticket which deals > with the generic problem of outdated 3rd party libraries. > [https://issues.apache.org/jira/projects/TIKA/issues/TIKA-2854] > At the very least you should update your security page with the details and > potentially release 1.21 to correct these issues.. > [https://tika.apache.org/security.html] > > *a) GUAVA v_17 -> - CVE-2018-10237* > Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 > allows remote attackers to conduct denial of service attacks against servers > [https://nvd.nist.gov/vuln/detail//CVE-2018-10237] > > *b) jackson-databind v_2.9.7 -> CVE-2018-19362* > FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have > unspecified impact by leveraging failure to block the jboss-common-core class > from polymorphic deserialization. > [https://nvd.nist.gov/vuln/detail/CVE-2018-19362] > > *c) sqlite-jdbc v_3.25.2 ->CVE-2018-20346* > SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an > integer overflow (and resultant buffer overflow) for FTS3 queries that occur > after crafted changes to FTS3 shadow tables, allowing remote attackers to > execute arbitrary code by leveraging the ability to run arbitrary SQL > statements (such as in certain WebSQL use cases), aka Magellan. > [https://nvd.nist.gov/vuln/detail/CVE-2018-20346] -- This message was sent by Atlassian JIRA (v7.6.3#76005)