You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@tika.apache.org by Thomas Cherel <tc...@yahoo.com> on 2019/11/05 23:24:58 UTC
Is tika-parsers exposed to CVE-2019-12415
Hi,
tika-parsers has a dependency with Apache POI which is exposed to
CVE-2019-12415: https://nvd.nist.gov/vuln/detail/CVE-2019-12415
Can someone confirm is tika-parsers is exposed to this CVE (which means
if tika-parsers is using the XSSFExportToXml tool/class from Apache POI)?
Thanks.
Re: Is tika-parsers exposed to CVE-2019-12415
Posted by Tim Allison <ta...@apache.org>.
Tika itself does not use that class, but it is a vuln if any of your client
code calls it, obviously. We're discussing the 1.23 release that includes
the latest version of POI.
On Tue, Nov 5, 2019 at 7:07 PM Thomas Cherel <tc...@yahoo.com> wrote:
> Answering my own question...
>
> A string search for XSSFExportToXml in the tika 1.22 source tree is not
> returning any hits.
> The fix for the CVE is done in this specific class (see
> https://svn.apache.org/viewvc?view=revision&revision=1867484).
>
> I am then assuming that tika is not exposed since it does not use
> XSSFExportToXml.
>
> On 06/11/2019 00:24, Thomas Cherel wrote:
> > Hi,
> >
> > tika-parsers has a dependency with Apache POI which is exposed to
> > CVE-2019-12415: https://nvd.nist.gov/vuln/detail/CVE-2019-12415
> >
> > Can someone confirm is tika-parsers is exposed to this CVE (which
> > means if tika-parsers is using the XSSFExportToXml tool/class from
> > Apache POI)?
> >
> > Thanks.
> >
>
>
Re: Is tika-parsers exposed to CVE-2019-12415
Posted by Thomas Cherel <tc...@yahoo.com>.
Answering my own question...
A string search for XSSFExportToXml in the tika 1.22 source tree is not
returning any hits.
The fix for the CVE is done in this specific class (see
https://svn.apache.org/viewvc?view=revision&revision=1867484).
I am then assuming that tika is not exposed since it does not use
XSSFExportToXml.
On 06/11/2019 00:24, Thomas Cherel wrote:
> Hi,
>
> tika-parsers has a dependency with Apache POI which is exposed to
> CVE-2019-12415: https://nvd.nist.gov/vuln/detail/CVE-2019-12415
>
> Can someone confirm is tika-parsers is exposed to this CVE (which
> means if tika-parsers is using the XSSFExportToXml tool/class from
> Apache POI)?
>
> Thanks.
>