Diego Rivera created TIKA-4687:
----------------------------------
Summary: Multiple CVE security findings in Tika 3.2.3
Key: TIKA-4687
URL: https://issues.apache.org/jira/browse/TIKA-4687
Project: Tika
Issue Type: Bug
Components: tika-core, tika-server
Affects Versions: 3.2.3
Reporter: Diego Rivera
During our security scans, our Tika 3.2.3 container raised the following CVE
issues (fixes listed):
|CVE|Severity|Fix|
|CVE-2026-24308|HIGH|org.apache.zookeeper:zookeeper:3.8.6|
|GHSA-72hv-8253-57qq|HIGH|com.fasterxml.jackson.core:jackson-core:2.21.1|
|CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
|CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
|CVE-2025-11226|MEDIUM|ch.qos.logback:logback-core:1.5.19|
|CVE-2025-68161|MEDIUM|org.apache.logging.log4j:log4j-core:2.25.3|
|CVE-2026-1225|LOW|ch.qos.logback:logback-core:1.5.25|
Is there any chance that all of the above can be addressed for the next release
(3.2.4)?
In most cases it should be simple enough to update the dependent library's
version in the `pom.xml`. There are two more that I'm not requesting a fix for:
|CVE|Severity|Fix|
|CVE-2024-6763|MEDIUM|org.eclipse.jetty:jetty-http:12.0.12|
|CVE-2025-11143|LOW|org.eclipse.jetty:jetty-http:12.0.31|
In the case of these Jetty issues, they would require a jump to Jetty 12 which
in turn requires Java 17, and I suspect there's no desire to raise the Java
baseline to 17 for Tika.
Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
