[ https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941113#comment-16941113 ]
Tim Allison commented on TIKA-2952: ----------------------------------- I haven't had the time to dig into this thoroughly. I suspect that this might affect Tika. One of the big problems is that even if metadata-extractor were released with this fix, the more recent underlying Adobe xmpcore libraries have changed the namespace to com.adobe.internal.* So, we'd break a bunch of stuff in our xmp module and elsewhere. I found this when I tried to upgrade to 2.12.0 before our last release. In order for this to be fixed correctly, we'd have to find someone at Adobe to release their external package named code: com.adobe.*, and then have metadata-extractor upgrade to that. Any fellow devs see a better option? In general, Tika cannot rely on robustness of underlying parsers, and we encourage separation of parsing into a different process/jvm than your main code, whether that's through tika-server with -spawn-child mode or using the ForkParser or using Tika app in batch mode. That said, we try to do everything we can to fix and upgrade as necessary for more robust code. > Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22. > --------------------------------------------------------------- > > Key: TIKA-2952 > URL: https://issues.apache.org/jira/browse/TIKA-2952 > Project: Tika > Issue Type: Bug > Reporter: Aman Mishra > Priority: Major > > We can see that metadata-extractor with version 2.11.0 is present in > tika-bundle 1.22 jar. We can see that even latest metadata-extractor with > version 2.12.0 is also vulnerable. > > So please confirm your side that "Is this vulnerability [CVE-2019-14262] is > impacting to tika or not ?" -- This message was sent by Atlassian Jira (v8.3.4#803005)