You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2021/08/30 14:58:00 UTC

[jira] [Commented] (TIKA-3488) Security issue XXE in TIKA due to JDOM

    [ https://issues.apache.org/jira/browse/TIKA-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17406769#comment-17406769 ] 

Tim Allison commented on TIKA-3488:
-----------------------------------

Turns out we can exclude jdom2 for Rome and just build a standard DOM/Document with our usual and (hopefully) secure methods.  Let's do that.

I'm not sure how to exclude it from grib safely...

> Security issue XXE in TIKA due to JDOM
> --------------------------------------
>
>                 Key: TIKA-3488
>                 URL: https://issues.apache.org/jira/browse/TIKA-3488
>             Project: Tika
>          Issue Type: Bug
>          Components: tika-server
>    Affects Versions: 1.25
>            Reporter: Arvind Jagtap
>            Priority: Major
>
> Apache TIKA 1.35 is vulnerable due to dependency on JDOM 2.0.6. Black Duck Hub has reported this vulnerability CVE-2021-33813 with more detail on the following page. 
> [https://nvd.nist.gov/vuln/detail/CVE-2021-33813#range-6782705]
> Although the following issue is entered, it is not yet fixed and there is no timeline given.
> https://github.com/hunterhacker/jdom/issues/189
> There are some workaround discussed on this issue. Can this be fixed in TIKA in the meanwhile?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)