[ https://issues.apache.org/jira/browse/SOLR-15431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17364484#comment-17364484 ]
Timothy Potter commented on SOLR-15431: --------------------------------------- Afaik, Solr's password checking code does not rely on this {{checkPassword}} method (a quick grep didn't find any usages for me). We should still upgrade the dependency, but this is not a vulnerability in Solr's authentication layer. > High Security vulnerability with Bouncy Castle library within Apache Solr > 8.8.2 > ------------------------------------------------------------------------------- > > Key: SOLR-15431 > URL: https://issues.apache.org/jira/browse/SOLR-15431 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 8.8.2 > Reporter: WCM RnD > Priority: Major > > High Security vulnerability has been reported for the Bouncy Castle library > (*bcprov-jdk15on-1.65.jar*) that is bundled within Apache Solr 8.8.2 > h1. Vulnerability Details > h2. CVE-2020-26939 > CVE-2020-28052 > *Affected Component(s):* Bouncy Castle BC Java 1.65 and 1.66. > *Vulnerability Published:* Dec 17, 2020 > *Vulnerability Updated:* Apr 6, 2021 > *CVSS Score:* 8.1 > *Summary*: An issue was discovered in Legion of the Bouncy Castle BC Java > 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared > incorrect data when checking the password, allowing incorrect passwords to > indicate they were matching with previously hashed ones that were different. > > Recommendation is to update to Bouncy Castle version 1.68.0 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org