[
https://issues.apache.org/jira/browse/SOLR-14960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Risden resolved SOLR-14960.
---------------------------------
Resolution: Duplicate
Duplicate of SOLR-13506
> Solr-clustering is bringing in CVE-2018-10237 vulnerable guava
> --------------------------------------------------------------
>
> Key: SOLR-14960
> URL: https://issues.apache.org/jira/browse/SOLR-14960
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.6.3
> Reporter: Sourabh Sarvotham Parkala
> Priority: Major
>
> Hello Team, we find that Solr-Clustering module is bringing in a Vulnerable
> library `org.carrot2.shaded:carrot2-guava:18.0`.
> The vulnerability is
> [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237]
> Severity: Medium
> CVSS Score 5.9
> [INFO] +- org.apache.solr:solr-clustering:jar:8.6.3:compile
> [INFO] | +- com.carrotsearch.thirdparty:simple-xml-safe:jar:2.7.1:compile
> [INFO] | +- org.carrot2:carrot2-mini:jar:3.16.0:compile
> [INFO] | +- org.carrot2.attributes:attributes-binder:jar:1.3.3:compile
> [INFO] | - org.carrot2.shaded:carrot2-guava:jar:18.0:compile
> Hence, creating this BUG to request you to remove the dependency of Carrot2
> from the Solr Module. As the last update from
> [carrot2|https://mvnrepository.com/artifact/org.carrot2.shaded/carrot2-guava]
> library seems to be in 2015. And we cannot be sure if they will release a new
> version with the updated guava library fix.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
