[ https://issues.apache.org/jira/browse/OAK-9520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390343#comment-17390343 ]
Nitin Gupta commented on OAK-9520: ---------------------------------- [https://github.com/apache/jackrabbit-oak/pull/334] > CVE-2021-29262 in oak-solr-osgi > -------------------------------- > > Key: OAK-9520 > URL: https://issues.apache.org/jira/browse/OAK-9520 > Project: Jackrabbit Oak > Issue Type: Bug > Reporter: Nitin Gupta > Assignee: Nitin Gupta > Priority: Major > > Vulnerability in: org.apache.solr : solr-solrj : 8.6.3 > CVE-2021-29262 > > {code:java} > When starting Apache Solr versions prior to 8.8.2, configured with the > SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no > existing security.json znode, if the optional read-only user is configured > then Solr would not treat that node as a sensitive path and would allow it to > be readable. Additionally, with any ZkACLProvider, if the security.json is > already present, Solr will not automatically update the ACLs. > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)