[
https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844146#comment-16844146
]
Tilman Hausherr commented on TIKA-2878:
---------------------------------------
With the maven owasp plugin 5.0.0.M3 I get even more when using tika-parsers:
vorbis-java-tika-0.8.jar (pkg:maven/org.gagravarr/[email protected],
cpe:2.3:a:apache:tika:0.8:*:*:*:*:*:*:*) : CVE-2016-6809, CVE-2018-11761,
CVE-2018-11796, CVE-2018-1335, CVE-2018-1338, CVE-2018-1339
c3p0-0.9.1.1.jar (pkg:maven/c3p0/[email protected],
cpe:2.3:a:mchange:c3p0:0.9.1.1:*:*:*:*:*:*:*) : CVE-2019-5427
sentiment-analysis-parser-0.1.jar
(pkg:maven/edu.usc.ir/[email protected],
cpe:2.3:a:apache:opennlp:0.1:*:*:*:*:*:*:*,
cpe:2.3:a:apache:tika:0.1:*:*:*:*:*:*:*) : CVE-2016-6809, CVE-2018-11761,
CVE-2018-11796, CVE-2018-1335, CVE-2018-1338, CVE-2018-1339
with 4.0.2:
vorbis-java-tika-0.8.jar (org.gagravarr:vorbis-java-tika:0.8,
cpe:/a:apache:tika:0.8) : CVE-2016-6809, CVE-2018-1335, CVE-2018-11796,
CVE-2018-1338, CVE-2018-11761, CVE-2018-1339
xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035
boilerpipe-1.1.0.jar (de.l3s.boilerpipe:boilerpipe:1.1.0,
cpe:/a:html-pages_project:html-pages:1.1.0) : CVE-2018-16481
rome-1.12.0.jar (com.rometools:rome:1.12.0,
cpe:/a:all-for-one:all_for_one:1.12.0, cpe:/a:feeds_project:feeds:1.12.0) :
CVE-2018-12056
relaxng-datatype-2.3.2.jar (com.sun.xml.bind.external:relaxng-datatype:2.3.2,
cpe:/a:data-tools_project:data_tools:2.3.2) : CVE-2018-18749
bzip2-0.9.1.jar (cpe:/a:bzip:bzip2:0.9.1, org.itadaki:bzip2:0.9.1) :
CVE-2011-4089, CVE-2010-0405, CVE-2005-1260
c3p0-0.9.1.1.jar (cpe:/a:mchange:c3p0:0.9.1.1, c3p0:c3p0:0.9.1.1) :
CVE-2019-5427
sentiment-analysis-parser-0.1.jar (edu.usc.ir:sentiment-analysis-parser:0.1,
cpe:/a:apache:opennlp:0.1, cpe:/a:data-tools_project:data_tools:0.1) :
CVE-2018-18749
> Update dependencies for 1.21.1 or 1.22
> --------------------------------------
>
> Key: TIKA-2878
> URL: https://issues.apache.org/jira/browse/TIKA-2878
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
>
> And in the category of "stuff you can't make up"...while generating the
> javadocs for the 1.21 release:
> We're now getting this inĀ {{tika-parsers}}:
> {noformat}
> c3p0:c3p0:jar:0.9.1.1:compile;
> https://ossindex.sonatype.org/component/pkg:maven/c3p0/[email protected]
> * [CVE-2019-5427] Resource Management Errors (7.5);
> https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
> * [CVE-2019-10247] Information Exposure (5.3);
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page
> Generation ("Cross-site Scripting") (6.1);
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile;
> https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/[email protected]
> * [CVE-2019-10247] Information Exposure (5.3);
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page
> Generation ("Cross-site Scripting") (6.1);
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
