Elasticsearch includes a version of tika-core with a security vulnerability #90360
Labels
>bug
:Security/Security
Security issues without another label
Team:Security
Meta label for security team
Comments
ebadyano
added
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
|
Thank you for your report. Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Elasticsearch Version
8.4.2
Installed Plugins
No response
Java Version
bundled
OS Version
Linux 3f1511ad194d 5.15.0-47-generic #51-Ubuntu SMP Thu Aug 11 07:51:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Problem Description
Elasticsearch 8.4.1 includes tika-core-2.4.0.jar (in module ingest-attachment), that has vulnerability CVE-2022-33879 reported against it (see https://nvd.nist.gov/vuln/detail/CVE-2022-33879)
Steps to Reproduce
Install Elasticsearch 8.4.1, list the content of directory modules/ingest-attachment
Logs (if relevant)
No response
The text was updated successfully, but these errors were encountered: