Thank you. I just checked the dependency:tree in our main branch and see this:
+- org.apache.cxf:cxf-rt-rs-client:jar:3.5.5:compile [INFO] | | +- org.apache.cxf:cxf-rt-transports-http:jar:3.5.5:compile [INFO] | | +- org.apache.cxf:cxf-core:jar:3.5.5:compile [INFO] | | | +- com.fasterxml.woodstox:woodstox-core:jar:6.5.0:compile We'll likely kick off the release process for 2.7.0 late this week or early next week. Thank you for the notification. If you'd like access to jira, see (https://infra.apache.org/jira-guidelines.html#who) and send me this info directly: Gather this information from the requestor: email address preferred username (N.B. hyphens not allowed) alternate username (in case the preferred one is already in use) display name, if it is different from the username On Mon, Jan 23, 2023 at 8:05 PM Jason Warren <[email protected]> wrote: > > Tika 2.6.0 contains com.fasterxml.woodstox:woodstox-core version 6.2.8 in > tika-server-standard-2.6.0.jar which has a DOS vulnerability with a CVSS 3.0 > score of 7.5 (HIGH). > > I've gone through the user and dev mailing lists and JIRA and I haven't found > any previous reports so I wanted to bring this to your attention. I don't > have an account in JIRA so I believe this is the only way I am able to report > it. > > More information about the vulnerability CVE-2022-40152: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40152 > https://nvd.nist.gov/vuln/detail/CVE-2022-40152 > https://github.com/advisories/GHSA-3f7h-mf4q-vrm4 >
