[jira] [Updated] (SOLR-17822) Upgrade commons-lang3 to 3.18.0

Mon, 21 Jul 2025 21:48:09 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-17822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Isha Kunwar updated SOLR-17822:
-------------------------------
    Summary: Upgrade commons-lang3 to 3.18.0  (was: Upgrade `commons-lang3` to 
3.18.0)

> Upgrade commons-lang3 to 3.18.0
> -------------------------------
>
>                 Key: SOLR-17822
>                 URL: https://issues.apache.org/jira/browse/SOLR-17822
>             Project: Solr
>          Issue Type: Task
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Build, security
>    Affects Versions: 9.5, 9.7, 9.8.1
>         Environment: Detected via internal security scan across deployed Solr 
> versions: *9.5, 9.7, and 9.8.*
>            Reporter: Isha Kunwar
>            Priority: Major
>              Labels: security
>         Attachments: Screenshot 2025-07-22 101544.png
>
>
> While reviewing our deployments, we noticed that Apache Solr ships with 
> `{*}commons-lang3{*}` version 3.14.0, which is affected by *CVE-2025-48924* 
> ({color:#FF0000}High severity{color}).
> Details:
> - {*}**CVE**{*}: 
> {*}{*}[{*}CVE-2025-48924{*}|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> - **{*}Affected Library{*}**: *org.apache.commons:commons-lang3*
> - **{*}Detected Version{*}**: 3.14.0
> - **{*}Fixed Version{*}**: 3.18.0
> - **{*}Path{*}**: 
> /opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar
> - **{*}Detected On{*}**: 9.5, 9.7, 9.8
> - **{*}Detection Time{*}**: 2025-07-11
> - **{*}Issue{*}**: Uncontrolled recursion in `{*}ClassUtils.getClass(...){*}` 
> may throw a 
> [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] on 
> very long inputs.
> - **{*}Impact{*}**: Since `Error`s are typically not caught by applications 
> or libraries, this could result in application crashes.
> **{*}Request{*}**:  
> Please let me know if this issue is known or already being tracked, and 
> whether an upgrade or patch is planned in upcoming Solr releases.
> Thanks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to