You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (JIRA)" <ji...@apache.org> on 2018/02/01 01:09:00 UTC
[jira] [Commented] (TIKA-2561) Tika Parser includes
oudated/vulnerable version of JSoup
[ https://issues.apache.org/jira/browse/TIKA-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347844#comment-16347844 ]
Tim Allison commented on TIKA-2561:
-----------------------------------
Thank you for opening this, y, edu.ucar:grib:jar:4.5.5 pulls in 1.7.2. Are we actually vulnerable to XSS simply by parsing a file? I recognize XXE and entity expansion attacks are a problem, but XSS? Thank you, again.
> Tika Parser includes oudated/vulnerable version of JSoup
> --------------------------------------------------------
>
> Key: TIKA-2561
> URL: https://issues.apache.org/jira/browse/TIKA-2561
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.17
> Reporter: Asela
> Priority: Major
>
> org.apache.tika:tika-parsers:1.17 pulls in dependency JSoup 1.7.2.
>
> JSoup versions older than 1.8.3 have a vulnerability in parsing.
>
> https://nvd.nist.gov/vuln/detail/CVE-2015-6748
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)