[
https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020833#comment-17020833
]
Abhijit Rajwade commented on TIKA-2952:
---------------------------------------
[~tallison] [~stappe2019]
I see that for CVE-2019-14262 in com.drewnoakes : metadata-extractor : 2.11.0,
there is a fix done for the Java side
https://github.com/drewnoakes/metadata-extractor/pull/420
which fixes the issue reported in
https://github.com/drewnoakes/metadata-extractor/issues/419
There is a new drewnoaks metadata-extractor release
https://github.com/drewnoakes/metadata-extractor/releases/tag/2.13.0
that has the PR #420 fix.
Can you please double check this?
If above information is correct, this issue can be resolved by upgradeing
metadata-extractor to version 2.13 in next Apache Tika release.
> Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
> ---------------------------------------------------------------
>
> Key: TIKA-2952
> URL: https://issues.apache.org/jira/browse/TIKA-2952
> Project: Tika
> Issue Type: Bug
> Reporter: Aman Mishra
> Priority: Major
>
> We can see that metadata-extractor with version 2.11.0 is present in
> tika-bundle 1.22 jar. We can see that even latest metadata-extractor with
> version 2.12.0 is also vulnerable.
>
> So please confirm your side that "Is this vulnerability [CVE-2019-14262] is
> impacting to tika or not ?"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
