[ https://issues.apache.org/jira/browse/OAK-10546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17784451#comment-17784451 ]
Julian Reschke commented on OAK-10546: -------------------------------------- I believe we can simply exclude it in the dependency declaration where Tika is used. We should also open a ticket to update Tika to a version that is maintained. > Tika 1.28.5 includes a vulnerable Guava dependency > -------------------------------------------------- > > Key: OAK-10546 > URL: https://issues.apache.org/jira/browse/OAK-10546 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-examples, oak-run, oak-search-elastic, oak-solr-core > Reporter: Fabrizio Fortino > Priority: Major > > Guava 31.1 has a critical vulnerability [0]. It is included as a transient > dependency of Tika 1.28.5 [1]. This is the latest 1.x available release of > Tika. Being EOL it won't receive any security-related updates [2]. > The work to upgrade to Tika 2.x would require some time. > If possible, we should find an alternative solution to avoid including this > vulnerable dependency. > [0] [https://www.opencve.io/cve/CVE-2023-2976] > [1] [https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5] > [2] [https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3] -- This message was sent by Atlassian Jira (v8.20.10#820010)