You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2022/11/10 13:55:00 UTC
[jira] [Commented] (TIKA-3925) Use of vulnerable quartz and c3p0 in tika-parser-scientific-module
[ https://issues.apache.org/jira/browse/TIKA-3925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631664#comment-17631664 ]
Tim Allison commented on TIKA-3925:
-----------------------------------
I'm attaching mvn dependency:tree against 2.6.0, and I don't see what you're seeing.
If you are using our packages via maven (e.g. you're not just using tika-app or tika-server), you need to inherit from our parent pom or bom to include our dependency management section. Our parent pom is not automatically inherited if you are including our modules as dependencies.
For how to inherit our parent pom, see: https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629794#comment-17629794
For how to inherit from our bom see: https://github.com/apache/tika#maven-dependencies
If I'm misunderstanding something, please let me know.
> Use of vulnerable quartz and c3p0 in tika-parser-scientific-module
> ------------------------------------------------------------------
>
> Key: TIKA-3925
> URL: https://issues.apache.org/jira/browse/TIKA-3925
> Project: Tika
> Issue Type: Bug
> Components: depedency
> Affects Versions: 2.6.0
> Reporter: Vishal Ranjan
> Priority: Critical
> Attachments: dependencies.txt.zip
>
>
> There are followingHigh security vulnerabilities in tika-parser-scientific-module:2.6.0:
> quartz:2.2.0 has CVE-2019-13990
> c3p0:0.9.1.1 has CVE-2018-20433
> The suggested resolution is to upgrade these dependencies but "tika-parser-scientific-module" latest version 2.6.0 still uses same version. Because of this we are unable to do away with these vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)