[jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi

Nitin Gupta (Jira) Fri, 30 Jul 2021 00:11:39 -0700


    [ 
https://issues.apache.org/jira/browse/OAK-9520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390343#comment-17390343
 ]


Nitin Gupta commented on OAK-9520:
----------------------------------

[https://github.com/apache/jackrabbit-oak/pull/334] 

> CVE-2021-29262  in oak-solr-osgi
> --------------------------------
>
>                 Key: OAK-9520
>                 URL: https://issues.apache.org/jira/browse/OAK-9520
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>            Reporter: Nitin Gupta
>            Assignee: Nitin Gupta
>            Priority: Major
>
> Vulnerability in: org.apache.solr : solr-solrj : 8.6.3
> CVE-2021-29262
>  
> {code:java}
> When starting Apache Solr versions prior to 8.8.2, configured with the 
> SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no 
> existing security.json znode, if the optional read-only user is configured 
> then Solr would not treat that node as a sensitive path and would allow it to 
> be readable. Additionally, with any ZkACLProvider, if the security.json is 
> already present, Solr will not automatically update the ACLs.
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (OAK-9520) CVE-2021-29262 in oak-solr-osgi

Reply via email to