This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new c28cf4fe4 Commit build products
c28cf4fe4 is described below
commit c28cf4fe4e82ba297f6b1fd59781ee93f5599d87
Author: Build Pelican (action) <[email protected]>
AuthorDate: Sun Jul 14 22:59:39 2024 +0000
Commit build products
---
output/blog.html | 7 +
...nity-over-code-eu-2024-birds-of-a-feather.html} | 59 +-
output/security.html | 138 ++-
output/solr.vex.json | 1010 ++++++++++++++++++++
4 files changed, 1093 insertions(+), 121 deletions(-)
diff --git a/output/blog.html b/output/blog.html
index 89c46ab52..cb046de20 100644
--- a/output/blog.html
+++ b/output/blog.html
@@ -140,6 +140,13 @@ If you have one you'd like to contribute, or would like to
link out to an extern
<hr/>
+ <h2 id="community-over-code-eu-2024-birds-of-a-feather">
+ <a href="blogposts/community-over-code-eu-2024-birds-of-a-feather.html">
+ Community Over Code EU 2024 Apache Lucene/Solr Birds Of A Feather
+ </a>
+ </h2>
+ <h5>Published: 1 July 2024</h5>
+ <p><p>This blog post is a summary of the Apache Lucene/Solr Birds of a
Feather from Community Over Code EU 2024 in Bratislava, Slovakia. Written by
Alessandro Benedetti, Director at Sease and Apache Solr Committer and PMC
member.</p></p>
<h2 id="hybrid-search-with-apache-solr">
<a href="blogposts/hybrid-search-with-apache-solr.html">
Hybrid Search with Apache Solr
diff --git a/output/blog.html
b/output/blogposts/community-over-code-eu-2024-birds-of-a-feather.html
similarity index 80%
copy from output/blog.html
copy to output/blogposts/community-over-code-eu-2024-birds-of-a-feather.html
index 89c46ab52..3ac32af5c 100644
--- a/output/blog.html
+++ b/output/blogposts/community-over-code-eu-2024-birds-of-a-feather.html
@@ -38,15 +38,15 @@
<script src="//cdn.jsdelivr.net/jquery.slick/1.3.7/slick.min.js"/></script>
<script
src="/theme/javascript/lib/jquery.smooth-scroll.min.js?v=4dd59757"></script>
<script src="/theme/javascript/main.js?v=4dd59757"></script>
-<script src="https://www.apachecon.com/event-images/snippet.js";></script>
<title>Blog Posts - Apache Solr</title>
+<script src="https://www.apachecon.com/event-images/snippet.js";></script>
<title>Community Over Code EU 2024 Apache Lucene/Solr Birds Of A Feather -
Apache Solr</title>
<meta name="keywords"
content="apache, apache lucene, apache solr, solr, lucene,
search, information retrieval, spell checking, faceting,
inverted index, open source"/>
<meta property="og:type" content="website" />
- <meta property="og:url" content="https://solr.apache.org/blog.html"/>
- <meta property="og:title" content="Blog Posts"/>
- <meta property="og:description" content="Welcome to the Apache Solr Blog,
where we periodically showcase Solr-related articles, tutorials, and other
content. Have something..."/>
+ <meta property="og:url"
content="https://solr.apache.org/blogposts/community-over-code-eu-2024-birds-of-a-feather.html"/>
+ <meta property="og:title" content="Community Over Code EU 2024 Apache
Lucene/Solr Birds Of A Feather"/>
+ <meta property="og:description" content="Community Over Code EU 2024
Apache Lucene/Solr Birds Of A Feather Dive into the insights and key takeaways
from the Apache..."/>
<meta property="og:image"
content="https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/>
<meta property="og:image:secure_url"
content="https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/>
@@ -54,7 +54,7 @@
<link rel="shortcut icon" href="/theme/images/favicon.ico"
type="image/x-icon">
</head>
- <body class="page " x-ng-app-root="/solr" x-ng-app="page"
x-ng-controller="page.controllers.main">
+ <body class="page " x-ng-app="page" x-ng-controller="page.controllers.main">
<div class="contain-to-grid">
<div class="header-section">
<nav class="top-bar" data-topbar role="navigation">
@@ -117,52 +117,9 @@
<div class="header-fill"></div>
<div class="container">
<div class="row">
-<div class="small-12 columns">
-
- <style type="text/css">
- .headerlink, .elementid-permalink {
- visibility: hidden;
- }
- h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink,
h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink,
dt:hover > .elementid-permalink {
- visibility: visible;
- }
- h2 {
- /* Avoid title being hidden behind header when linked by anchor link */
- padding-top: 70px;
- margin-top: -70px;
- }
- </style>
- <h1 id="solr-blogs">Solr<sup>™</sup> Blog Posts<a class="headerlink"
href="#solr-blog-posts" title="Permanent link">¶</a></h1>
- <p>Welcome to the Apache Solr Blog, where we periodically showcase
Solr-related articles, tutorials, and other content.</p>
-<p>Have something to share?
-We're always looking for new articles!
-If you have one you'd like to contribute, or would like to link out to an
external post, create a PR using the instructions <a
href="https://github.com/apache/solr-site";>here</a>.</p>
-
- <hr/>
-
- <h2 id="hybrid-search-with-apache-solr">
- <a href="blogposts/hybrid-search-with-apache-solr.html">
- Hybrid Search with Apache Solr
- </a>
- </h2>
- <h5>Published: 17 June 2024</h5>
- <p><p>This blog post shows how to run a hybrid search (keyword-based search
+ vectors) in Apache Solr with code examples and explanations. Written by
Alessandro Benedetti, Director at Sease and Apache Solr Committer and PMC
member.</p></p>
- <h2 id="welcome-to-the-apache-solr-blog">
- <a href="blogposts/welcome-to-the-apache-solr-blog.html">
- Welcome to the Apache Solr Blog
- </a>
- </h2>
- <h5>Published: 22 April 2024</h5>
- <p><p>We have a blog? What is it, and why do we have it?</p></p>
- <h2 id="contribute-to-the-apache-solr-blog">
- <a href="blogposts/contribute-to-the-apache-solr-blog.html">
- How To: Contribute to the Apache Solr Blog
- </a>
- </h2>
- <h5>Published: 23 April 2024</h5>
- <p><p>You have a brilliant idea for Solr's new blog. But what next? How
does the blog work, and how can writers contribute posts?</p></p>
-</div>
- </div>
+<h1
id="community-over-code-eu-2024-apache-lucenesolr-birds-of-a-feather">Community
Over Code EU 2024 Apache Lucene/Solr Birds Of A Feather</h1>
+<p>Dive into the insights and key takeaways from the Apache Lucene/Solr Birds
of a Feather (BoF) session at Community Over Code EU 2024, held in the vibrant
city of Bratislava, Slovakia. This session was specially organized to gather
feedback from the community, fostering a collaborative environment where
developers, users, and enthusiasts could share their experiences and insights.
</p>
+<p>Read about the brainstorming that took place during the event to shape the
future of these Apache projects - the complete post can be read here: <a
href="https://sease.io/2024/06/community-over-code-eu-2024.html";>Community Over
Code EU 2024 Apache Lucene/Solr Birds Of A Feather</a></p> </div>
</div>
<footer>
<div class="row">
diff --git a/output/security.html b/output/security.html
index 94f223598..c8c1b3ca3 100644
--- a/output/security.html
+++ b/output/security.html
@@ -656,360 +656,358 @@ Github user <code>s00py</code></p>
<th>state</th>
<th>detail</th>
</tr>
- <!-- BEGIN STATIC TABLE SOLR-17339 -->
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-33980";>CVE-2022-33980</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33980";>CVE-2022-33980</a>
</td>
<td>
- < 9.1
+ < 9.1
</td>
<td>
- commons-configuration2-2.7.jar </td>
+ commons-configuration2-2.7.jar </td>
<td>not affected</td>
<td>Solr uses commons-configuration2 for "hadoop-auth" only (for
Kerberos). It is only used for loading Hadoop configuration files that would
only ever be provided by trusted administrators, not externally
(untrusted).</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889";>CVE-2022-42889</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889";>CVE-2022-42889</a>
</td>
<td>
- < 9.1
+ < 9.1
</td>
<td>
- commons-text-1.9.jar </td>
+ commons-text-1.9.jar </td>
<td>not affected</td>
<td>Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which
uses commons-text through commons-configuration2. For Solr, the concern is
limited to loading Hadoop configuration files that would only ever be provided
by trusted administrators, not externally (untrusted).</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168";>CVE-2022-25168</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168";>CVE-2022-25168</a>
</td>
<td>
- < 9.1
+ < 9.1
</td>
<td>
- hadoop-common-3.2.2.jar </td>
+ hadoop-common-3.2.2.jar </td>
<td>not affected</td>
<td>The vulnerable code won't be used by Solr because Solr only is
only using HDFS as a client.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a>
</td>
<td>
7.4-8.11.1
</td>
<td>
- log4j-core-2.14.1.jar, log4j-core-2.16.0.jar </td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
<td>not affected</td>
<td>Solr's default log configuration doesn't use JDBCAppender and we
don't imagine a user would want to use it or other obscure appenders.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a>
</td>
<td>
7.4-8.11.1
</td>
<td>
- log4j-core-2.14.1.jar, log4j-core-2.16.0.jar </td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
<td>not affected</td>
<td>The MDC data used by Solr are for the collection, shard, replica,
core and node names, and a potential trace id, which are all sanitized.
Furthermore, Solr's default log configuration doesn't use double-dollar-sign
and we don't imagine a user would want to do that.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-13955";>CVE-2020-13955</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13955";>CVE-2020-13955</a>
</td>
<td>
8.1.0- today
</td>
<td>
- avatica-core-1.13.0.jar, calcite-core-1.18.0.jar
</td>
+ avatica-core-1.13.0.jar, calcite-core-1.18.0.jar
</td>
<td>not affected</td>
<td>Solr's SQL adapter does not use the vulnerable class "HttpUtils".
Calcite only used it to talk to Druid or Splunk.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
<td>
5.4.0-today
</td>
<td>
- carrot2-guava-18.0.jar </td>
+ carrot2-guava-18.0.jar </td>
<td>not affected</td>
<td>Only used with the Carrot2 clustering engine.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2014-0114";>CVE-2014-0114</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-0114";>CVE-2014-0114</a>
</td>
<td>
4.9.0-7.5.0
</td>
<td>
- commons-beanutils-1.8.3.jar </td>
+ commons-beanutils-1.8.3.jar </td>
<td>not affected</td>
<td>This is only used at compile time and it cannot be used to attack
Solr. Since it is generally unnecessary, the dependency has been removed as of
7.5.0. See SOLR-12617.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-10086";>CVE-2019-10086</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10086";>CVE-2019-10086</a>
</td>
<td>
8.0.0-8.3.0
</td>
<td>
- commons-beanutils-1.9.3.jar </td>
+ commons-beanutils-1.9.3.jar </td>
<td>not affected</td>
<td>While commons-beanutils was removed in 7.5, it was added back in
8.0 in error and removed again in 8.3. The vulnerable class was not used in any
Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2012-2098";>CVE-2012-2098</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1324";>CVE-2018-1324</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-11771";>CVE-2018-11771</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-2098";>CVE-2012-2098</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1324";>CVE-2018-1324</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-11771";>CVE-2018-11771</a>
</td>
<td>
4.6.0-today
</td>
<td>
- commons-compress (only as part of Ant 1.8.2) </td>
+ commons-compress (only as part of Ant 1.8.2) </td>
<td>not affected</td>
<td>Only used in test framework and at build time.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";>CVE-2018-1000632</a>
</td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";>CVE-2018-1000632</a>
</td>
<td>
4.6.0-today
</td>
<td>
- dom4j-1.6.1.jar </td>
+ dom4j-1.6.1.jar </td>
<td>not affected</td>
<td>Only used in Solr tests.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
<td>
4.6.0-today
</td>
<td>
- guava-*.jar </td>
+ guava-*.jar </td>
<td>not affected</td>
<td>Only used in tests.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-15718";>CVE-2017-15718</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15718";>CVE-2017-15718</a>
</td>
<td>
6.6.1-7.6.0
</td>
<td>
- hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all
Hadoop) </td>
+ hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all
Hadoop) </td>
<td>not affected</td>
<td>Does not impact Solr because Solr uses Hadoop as a client
library.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>
</td>
<td>
6.0.0-7.5.0
</td>
<td>
- icu4j-56.1.jar, icu4j-59.1.jar </td>
+ icu4j-56.1.jar, icu4j-59.1.jar </td>
<td>not affected</td>
<td>Issue applies only to the C++ release of ICU and not ICU4J, which
is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-15095";>CVE-2017-15095</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-17485";>CVE-2017-17485</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-7525";>CVE-2017-7525</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-5968";>CVE-2018-5968</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489";>CVE-2018-7489</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086";>CVE-2019-12086</a>, <a
href="https://nvd [...]
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15095";>CVE-2017-15095</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17485";>CVE-2017-17485</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7525";>CVE-2017-7525</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-5968";>CVE-2018-5968</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489";>CVE-2018-7489</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086";>CVE-2019-12086</a>, <a
href="https://nvd.nist.gov/ [...]
<td>
4.7.0-today
</td>
<td>
- jackson-databind-*.jar </td>
+ jackson-databind-*.jar </td>
<td>not affected</td>
- <td>These CVEs, and most of the known jackson-databind CVEs since
2017, are all related to problematic 'gadgets' that could be exploited during
deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See <a
href="https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062";>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-y
[...]
+ <td>These CVEs, and most of the known jackson-databind CVEs since
2017, are all related to problematic 'gadgets' that could be exploited during
deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See <a
href="https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062";>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-y
[...]
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-10241";>CVE-2019-10241</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247";>CVE-2019-10247</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10241";>CVE-2019-10241</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247";>CVE-2019-10247</a>
</td>
<td>
7.7.0-8.2
</td>
<td>
- jetty-9.4.14 </td>
+ jetty-9.4.14 </td>
<td>not affected</td>
<td>Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally,
the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier
versions can manually patch their configurations as described in
SOLR-13409.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218";>CVE-2020-27218</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218";>CVE-2020-27218</a>
</td>
<td>
7.3.0-8.8.0
</td>
<td>
- jetty-9.4.0 to 9.4.34 </td>
+ jetty-9.4.0 to 9.4.34 </td>
<td>not affected</td>
<td>Only exploitable through use of Jetty's GzipHandler, which is only
implemented in Embedded Solr Server.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223";>CVE-2020-27223</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223";>CVE-2020-27223</a>
</td>
<td>
7.3.0-present
</td>
<td>
- jetty-9.4.6 to 9.4.36 </td>
+ jetty-9.4.6 to 9.4.36 </td>
<td>not affected</td>
<td>Only exploitable if Solr's webapp directory is deployed as a
symlink, which is not Solr's default.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2021-33813";>CVE-2021-33813</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33813";>CVE-2021-33813</a>
</td>
<td>
to present
</td>
<td>
- jdom-*.jar </td>
+ jdom-*.jar </td>
<td>not affected</td>
<td>JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";>CVE-2018-1000056</a>
</td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";>CVE-2018-1000056</a>
</td>
<td>
4.6.0-7.6.0
</td>
<td>
- junit-4.10.jar </td>
+ junit-4.10.jar </td>
<td>not affected</td>
<td>JUnit only used in tests; CVE only refers to a Jenkins plugin not
used by Solr.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2014-7940";>CVE-2014-7940</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6293";>CVE-2016-6293</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-7415";>CVE-2016-7415</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-17484";>CVE-2017-17484</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-7867";>CVE-2017-7867</a>, <a
href="https://nvd.n [...]
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-7940";>CVE-2014-7940</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6293";>CVE-2016-6293</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-7415";>CVE-2016-7415</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-17484";>CVE-2017-17484</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-7867";>CVE-2017-7867</a>, <a
href="https://nvd.nist.gov/vu [...]
<td>
7.3.1
</td>
<td>
- lucene-analyzers-icu-7.3.1.jar </td>
+ lucene-analyzers-icu-7.3.1.jar </td>
<td>not affected</td>
<td>All of these issues apply to the C++ release of ICU and not ICU4J,
which is what Lucene uses.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-16869";>CVE-2019-16869</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16869";>CVE-2019-16869</a>
</td>
<td>
8.2-8.3
</td>
<td>
- netty-all-4.1.29.Final.jar </td>
+ netty-all-4.1.29.Final.jar </td>
<td>not affected</td>
<td>This is not included in Solr but is a dependency of ZooKeeper
3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The
specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as
far as the Solr community can determine).</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14868";>CVE-2017-14868</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14949";>CVE-2017-14949</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14868";>CVE-2017-14868</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14949";>CVE-2017-14949</a>
</td>
<td>
5.2.0-today
</td>
<td>
- org.restlet-2.3.0.jar </td>
+ org.restlet-2.3.0.jar </td>
<td>not affected</td>
<td>Solr should not be exposed outside a firewall where bad actors can
send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2015-5237";>CVE-2015-5237</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2015-5237";>CVE-2015-5237</a>
</td>
<td>
6.5.0-today
</td>
<td>
- protobuf-java-3.1.0.jar </td>
+ protobuf-java-3.1.0.jar </td>
<td>not affected</td>
<td>Dependency for Hadoop and Calcite. ??</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1471";>CVE-2018-1471</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1471";>CVE-2018-1471</a>
</td>
<td>
5.4.0-7.7.2, 8.0-8.3
</td>
<td>
- simple-xml-2.7.1.jar </td>
+ simple-xml-2.7.1.jar </td>
<td>not affected</td>
<td>Dependency of Carrot2 and used during compilation, not at runtime
(see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see
SOLR-13779).</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-8088";>CVE-2018-8088</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8088";>CVE-2018-8088</a>
</td>
<td>
4.x-today
</td>
<td>
- slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar,
jul-to-slf4j-1.7.24.jar </td>
+ slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar,
jul-to-slf4j-1.7.24.jar </td>
<td>not affected</td>
<td>The reported CVE impacts org.slf4j.ext.EventData, which is not
used in Solr.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>
</td>
<td>
7.3.1-7.5.0
</td>
<td>
- tika-core.1.17.jar </td>
+ tika-core.1.17.jar </td>
<td>not affected</td>
<td>Solr does not run tika-server, so this is not a problem.</td>
</tr>
<tr>
<td>
- <a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
<td>
7.3.1-today
</td>
<td>
- tika-core.*.jar </td>
+ tika-core.*.jar </td>
<td>not affected</td>
<td>All Tika issues that could be Solr vulnerabilities would only be
exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr.</td>
</tr>
<tr>
<td>
- <a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
<td>
6.6.2-today
</td>
<td>
- velocity-tools-2.0.jar </td>
+ velocity-tools-2.0.jar </td>
<td>not affected</td>
<td>Solr does not ship a Struts jar. This is a transitive POM listing
and not included with Solr (see comment in SOLR-2849).</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809";>CVE-2016-6809</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1338";>CVE-2018-1338</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1339";>CVE-2018-1339</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809";>CVE-2016-6809</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1338";>CVE-2018-1338</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1339";>CVE-2018-1339</a>
</td>
<td>
5.5.5, 6.2.0-today
</td>
<td>
- vorbis-java-tika-0.8.jar </td>
+ vorbis-java-tika-0.8.jar </td>
<td>not affected</td>
<td>See <a
href="https://github.com/Gagravarr/VorbisJava/issues/30";>https://github.com/Gagravarr/VorbisJava/issues/30</a>;
reported CVEs are not related to OggVorbis at all.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2012-0881";>CVE-2012-0881</a>
</td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-0881";>CVE-2012-0881</a>
</td>
<td>
~2.9-today
</td>
<td>
- xercesImpl-2.9.1.jar </td>
+ xercesImpl-2.9.1.jar </td>
<td>not affected</td>
<td>Only used in Lucene Benchmarks and Solr tests.</td>
</tr>
<tr>
<td>
- <a
href="https://nvd.nist.gov/vuln/detail/CVE-2023-51074";>CVE-2023-51074</a>,
GHSA-pfh2-hfmq-phg5 </td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-51074";>CVE-2023-51074</a>,
GHSA-pfh2-hfmq-phg5 </td>
<td>
all
</td>
<td>
- json-path-2.8.0.jar </td>
+ json-path-2.8.0.jar </td>
<td>not affected</td>
<td>The only places we use json-path is for querying (via Calcite) and
for transforming/indexing custom JSON. Since the advisory describes a problem
that is limited to the current thread, and users that are allowed to
query/transform/index are already trusted to cause load to some extent, this
advisory does not appear to have impact on the way json-path is used in
Solr.</td>
</tr>
- <!-- END STATIC TABLE SOLR-17339 -->
</table>
</div>
</div>
diff --git a/output/solr.vex.json b/output/solr.vex.json
new file mode 100644
index 000000000..ef5a19533
--- /dev/null
+++ b/output/solr.vex.json
@@ -0,0 +1,1010 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.4",
+ "version": 1,
+ "metadata": {
+ "component": {
+ "name": "solr",
+ "version": "SNAPSHOT",
+ "type": "application",
+ "bom-ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "id": "CVE-2022-33980",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33980";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only
(for Kerberos). It is only used for loading Hadoop configuration files that
would only ever be provided by trusted administrators, not externally
(untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-42889",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop
which uses commons-text through commons-configuration2. For Solr, the concern
is limited to loading Hadoop configuration files that would only ever be
provided by trusted administrators, not externally (untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-25168",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The vulnerable code won't be used by Solr because Solr only
is only using HDFS as a client."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-44832",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's default log configuration doesn't use JDBCAppender
and we don't imagine a user would want to use it or other obscure appenders."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45105",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45046",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-13955",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13955";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's SQL adapter does not use the vulnerable class
\"HttpUtils\". Calcite only used it to talk to Druid or Splunk."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used with the Carrot2 clustering engine."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-0114",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is only used at compile time and it cannot be used to
attack Solr. Since it is generally unnecessary, the dependency has been removed
as of 7.5.0. See SOLR-12617."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10086",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "While commons-beanutils was removed in 7.5, it was added
back in 8.0 in error and removed again in 8.3. The vulnerable class was not
used in any Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-2098",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2098";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1324",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1324";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-11771",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11771";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000632",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in tests."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15718",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15718";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Does not impact Solr because Solr uses Hadoop as a client
library."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Issue applies only to the C++ release of ICU and not ICU4J,
which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0"
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15095",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15095";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17485",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7525",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-5968",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5968";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-7489",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12086",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12384",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-12814",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12814";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14379",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14439",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14439";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35490",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35490";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35491",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-20190",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14540",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14540";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10241",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10247",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10247";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27218",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27218";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable through use of Jetty's GzipHandler, which
is only implemented in Embedded Solr Server."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27223",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable if Solr's webapp directory is deployed as
a symlink, which is not Solr's default."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-33813",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000056",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JUnit only used in tests; CVE only refers to a Jenkins
plugin not used by Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-7940",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7940";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6293",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6293";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-7415",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7415";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17484",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17484";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7867",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7867";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7868",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7868";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16869",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is not included in Solr but is a dependency of
ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with
Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor
in ZooKeeper as far as the Solr community can determine)."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14868",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14949",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14949";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2015-5237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5237";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency for Hadoop and Calcite. ??"
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1471",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1471";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency of Carrot2 and used during compilation, not at
runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to
7.7.3 (see SOLR-13779)."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-8088",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The reported CVE impacts org.slf4j.ext.EventData, which is
not used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1335";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not run tika-server, so this is not a problem."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All Tika issues that could be Solr vulnerabilities would
only be exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not ship a Struts jar. This is a transitive POM
listing and not included with Solr (see comment in SOLR-2849)."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6809",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6809";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1335";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1338",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1338";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1339",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1339";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-0881",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0881";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Lucene Benchmarks and Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-39135",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39135";
+ },
+ "analysis": {
+ "state": "exploitable",
+ "response": [
+ "update"
+ ],
+ "detail": "Apache Calcite has a vulnerability, CVE-2022-39135, that is
exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply
SQL queries to Solr's '/sql' handler (even indirectly via proxies / other
apps), then the user could perform an XML External Entity (XXE) attack. This
might have been exposed by some deployers of Solr in order for internal
analysts to use JDBC based tooling, but would have unlikely been granted to
wider audiences."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2023-51074",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51074";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The only places we use json-path is for querying (via
Calcite) and for transforming/indexing custom JSON. Since the advisory
describes a problem that is limited to the current thread, and users that are
allowed to query/transform/index are already trusted to cause load to some
extent, this advisory does not appear to have impact on the way json-path is
used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "GHSA-pfh2-hfmq-phg5",
+ "source": {
+ "name": "GITHUB",
+ "url": "https://github.com/advisories/GHSA-pfh2-hfmq-phg5";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The only places we use json-path is for querying (via
Calcite) and for transforming/indexing custom JSON. Since the advisory
describes a problem that is limited to the current thread, and users that are
allowed to query/transform/index are already trusted to cause load to some
extent, this advisory does not appear to have impact on the way json-path is
used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
![https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/](https://solr.apache.org/theme/images/solr_og_image.png?v=4dd59757"/){kind=link}
![https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/](https://solr.apache.org/theme/solr/solr_og_image.png?v=4dd59757"/){kind=link}