[
https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941113#comment-16941113
]
Tim Allison commented on TIKA-2952:
-----------------------------------
I haven't had the time to dig into this thoroughly. I suspect that this might
affect Tika.
One of the big problems is that even if metadata-extractor were released with
this fix, the more recent underlying Adobe xmpcore libraries have changed the
namespace to com.adobe.internal.* So, we'd break a bunch of stuff in our xmp
module and elsewhere. I found this when I tried to upgrade to 2.12.0 before our
last release.
In order for this to be fixed correctly, we'd have to find someone at Adobe to
release their external package named code: com.adobe.*, and then have
metadata-extractor upgrade to that.
Any fellow devs see a better option?
In general, Tika cannot rely on robustness of underlying parsers, and we
encourage separation of parsing into a different process/jvm than your main
code, whether that's through tika-server with -spawn-child mode or using the
ForkParser or using Tika app in batch mode.
That said, we try to do everything we can to fix and upgrade as necessary for
more robust code.
> Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
> ---------------------------------------------------------------
>
> Key: TIKA-2952
> URL: https://issues.apache.org/jira/browse/TIKA-2952
> Project: Tika
> Issue Type: Bug
> Reporter: Aman Mishra
> Priority: Major
>
> We can see that metadata-extractor with version 2.11.0 is present in
> tika-bundle 1.22 jar. We can see that even latest metadata-extractor with
> version 2.12.0 is also vulnerable.
>
> So please confirm your side that "Is this vulnerability [CVE-2019-14262] is
> impacting to tika or not ?"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
