https://dev.lucee.org/t/how-to-retrieve-video-dimensions-with-lucee-coldfusion/9230 explains how to install the full Tika if you want to use Tika to retrieve the content and metadata from various file types including Office documents, PDF etc.
The post is a bit old, but the principle applies to Tika 3.2.2. As Zackster said, the bundled Tika 1.28.4 is not the full Tika. However, it does include the core facades for the Tika API but won’t give the results that you get with the full Tika.
As Zacster also said. The bundled Tika 1.28.4 isn’t vulnerable, only the full Tika up to 3.2.1. If you don’t use the full Tika then no action is required and the scan is a false positive.
If you upgrade from say 3.2.1 to 3.2.2, then at http://127.0.0.1:8888/lucee/admin/index.cfm?action=info.bundle you may see the old deleted version and have to clear the cache found at C:\Lucee\tomcat\lucee-server\felix-cache (depending on your installation) and restart the Lucee service.