[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM

Mon, 30 Aug 2021 09:35:08 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17406822#comment-17406822
 ] 

Hudson commented on TIKA-3488:
------------------------------

FAILURE: Integrated in Jenkins build Tika ยป tika-main-jdk8 #322 (See 
[https://ci-builds.apache.org/job/Tika/job/tika-main-jdk8/322/])
TIKA-3488 -- exclude dependency on jdom2 in the FeedParser. See: 
https://github.com/hunterhacker/jdom/issues/189 (tallison: 
[https://github.com/apache/tika/commit/235d916c4ef163567db125a9f597cab3de82e0c5])
* (edit) 
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/src/main/java/org/apache/tika/parser/feed/FeedParser.java
* (edit) 
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/pom.xml
TIKA-3488 -- exclude dependency on jdom2 in the FeedParser. See: 
https://github.com/hunterhacker/jdom/issues/189 (tallison: 
[https://github.com/apache/tika/commit/4c1c675565026585ade55268255de077af055d52])
* (edit) tika-bundles/tika-bundle-standard/pom.xml
TIKA-3488 -- revert to include jdom2 (tallison: 
[https://github.com/apache/tika/commit/fe6f33ee0b61c09d30c46229ea020ad20328d29f])
* (edit) 
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/src/main/java/org/apache/tika/parser/feed/FeedParser.java
* (edit) 
tika-parsers/tika-parsers-standard/tika-parsers-standard-modules/tika-parser-news-module/pom.xml
* (edit) tika-bundles/tika-bundle-standard/pom.xml


> Security issue XXE in TIKA due to JDOM
> --------------------------------------
>
>                 Key: TIKA-3488
>                 URL: https://issues.apache.org/jira/browse/TIKA-3488
>             Project: Tika
>          Issue Type: Bug
>          Components: tika-server
>    Affects Versions: 1.25
>            Reporter: Arvind Jagtap
>            Priority: Major
>
> Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck 
> Hub has reported this vulnerability CVE-2021-33813 with more detail on the 
> following page. 
> [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705]
> Although the following issue is entered, it is not yet fixed and there is no 
> timeline given.
> https://github.com/hunterhacker/jdom/issues/189
> There are some workaround discussed on this issue. Can this be fixed in TIKA 
> in the meanwhile?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to