[BUILD-704] Investigate CVE-2022-24613 and CVE-2022-24614 Created: 03/Mar/22 Updated: 03/Mar/22 Resolved: 03/Mar/22 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | POMs 45, Build Resources 1.6.14 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Maxime Michel |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | foundation_team, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Date of First Response: |
| Description |
|
As reported by CVE scan in Magnolia's continuous integration builds magnolia-community-webapp-6.2-SNAPSHOT.war: metadata-extractor-2.15.0.1.jar (pkg:maven/org.tallison/metadata-extractor@2.15.0.1, cpe:2.3:a:metadata-extractor_project:metadata-extractor:2.15.0.1:*:*:*:*:*:*:*) : CVE-2022-24613, CVE-2022-24614 magnolia-empty-webapp-6.2-SNAPSHOT.war: metadata-extractor-2.15.0.1.jar (pkg:maven/org.tallison/metadata-extractor@2.15.0.1, cpe:2.3:a:metadata-extractor_project:metadata-extractor:2.15.0.1:*:*:*:*:*:*:*) : CVE-2022-24613, CVE-2022-24614 |
| Comments |
| Comment by Jan Haderka [ 03/Mar/22 ] |
|
Links to CVEs: For documentation: Internal info: com.drewnoakes is already on version 2.16 since May 2021. I would consider the org.tallison fork abandoned since it received last update in 2020 only. The issue is tracked in drewnoakes repo since Dec 10, 2021, and while acknowledged by the owner, there's no fix til today. I wasn't able to find corresponding tickets in JCR nor Tika so I think update from their side is also not coming anytime soon. If/when exclusion workaround is not acceptable for any client contacting support, we should consider upping version of the fork and fixing it ourselves. |