Hi, The OpenWire serialization issue exists in ActiveMQ OSGi 5.15.11. However, in the context of Tika, it's limited imho. If you don't actually use openwire/JMS in Tika, you are not impacted and you can exclude activemq-osgi from the transitive dependency.
Regards JB On Thu, Jan 4, 2024 at 8:08 AM Ghanekar, Vijay <vghane...@ptc.com> wrote: > > Hi Team, > We are using tika-app-1.22.jar and it found transitive dependent > org.apache.activemq:activemq-osgi:5.15.11. We have found vulnerability issue > with CVE-"CVE-2023-46604" with Score 10.0 that is critical. > Could you share the impact analysis and mitigation for this CVE. > > Thanks >
