ppkarwasz opened a new pull request, #150: URL: https://github.com/apache/solr-site/pull/150
This change adds a VEX statement for CVE-2024-51504, concluding that the vulnerability is **not exploitable in typical production deployments** of Apache Solr (versions 3.4.0 to 3.8.1). The assessment is based on the following configuration-dependent conditions: - Solr must be running in [SolrCloud mode](https://solr.apache.org/guide/solr/latest/deployment-guide/cluster-types.html#solrcloud-mode), which uses Zookeeper. - The [embedded Zookeeper server](https://solr.apache.org/guide/solr/latest/deployment-guide/zookeeper-ensemble.html) must be in use — a configuration **explicitly** discouraged for production environments. Solr logs a warning when this setup is active, supporting the conclusion that it is not commonly used in production. - The Zookeeper Admin Server must be manually enabled in the `server/solr/zoo.cfg` file. By default, the file contains: ```properties # Disable ZK AdminServer since we do not use it admin.enableServer=false ``` Given these requirements, the vulnerability is assessed as: * Status: `not_affected` * Justification: `requires_configuration` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
