WCM RnD created SOLR-15324: ------------------------------ Summary: High security vulnerability in Apache Thrift - CVE-2020-13949 (+1) bundled within Solr Key: SOLR-15324 URL: https://issues.apache.org/jira/browse/SOLR-15324 Project: Solr Issue Type: Bug Security Level: Public (Default Security Level. Issues are Public) Affects Versions: 8.8.1 Reporter: WCM RnD
Latest Version of Solr 8.8.1 bundles Apache v0.13.0. Thrift jar that has the following vulnerabilities: h1. Vulnerability Details h2. CVE-2020-13949 *Vulnerability Details in BlackDuck:* see [CVE-2020-13949|https://blackduck.opentext.net/api/vulnerabilities/CVE-2020-13949] *Affected Component(s):* Apache Thrift *Vulnerability Published:* 2021-02-12 15:15 EST *Vulnerability Updated:* 2021-02-18 10:43 EST *CVSS Score:* {color:#FF0000}7.5{color} (overall), {color:#FF0000}7.5{color} (base) *Summary*: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. *Solution*: N/A *Workaround*: N/A h2. BDSA-2021-0373 *Vulnerability Details in BlackDuck:* see [BDSA-2021-0373|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2021-0373] *Affected Component(s):* Apache Thrift *Vulnerability Published:* 2021-02-15 10:38 EST *Vulnerability Updated:* 2021-02-15 10:38 EST *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base) *Summary*: Apache Thrift contains a denial-of-service (DoS) vulnerability. Successfully exploiting this could allow an attacker to crash the application. *Solution*: Fixed in [*0.14.0*|https://github.com/apache/thrift/releases/tag/v0.14.0]. The latest stable releases are available [here|https://thrift.apache.org/download.html]. *Workaround*: N/A *Apache Thrift jar needs to be updated to 0.14.0 to fix the above vulnerability* -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org