[ https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020833#comment-17020833 ]
Abhijit Rajwade commented on TIKA-2952: --------------------------------------- [~tallison] [~stappe2019] I see that for CVE-2019-14262 in com.drewnoakes : metadata-extractor : 2.11.0, there is a fix done for the Java side https://github.com/drewnoakes/metadata-extractor/pull/420 which fixes the issue reported in https://github.com/drewnoakes/metadata-extractor/issues/419 There is a new drewnoaks metadata-extractor release https://github.com/drewnoakes/metadata-extractor/releases/tag/2.13.0 that has the PR #420 fix. Can you please double check this? If above information is correct, this issue can be resolved by upgradeing metadata-extractor to version 2.13 in next Apache Tika release. > Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22. > --------------------------------------------------------------- > > Key: TIKA-2952 > URL: https://issues.apache.org/jira/browse/TIKA-2952 > Project: Tika > Issue Type: Bug > Reporter: Aman Mishra > Priority: Major > > We can see that metadata-extractor with version 2.11.0 is present in > tika-bundle 1.22 jar. We can see that even latest metadata-extractor with > version 2.12.0 is also vulnerable. > > So please confirm your side that "Is this vulnerability [CVE-2019-14262] is > impacting to tika or not ?" -- This message was sent by Atlassian Jira (v8.3.4#803005)