[ https://issues.apache.org/jira/browse/SOLR-15855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Smiley updated SOLR-15855: -------------------------------- Security: Public (was: Private (Security Issue)) > CVEs in shadowed dependencies > ----------------------------- > > Key: SOLR-15855 > URL: https://issues.apache.org/jira/browse/SOLR-15855 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 8.11.1 > Reporter: Chris Adams > Priority: Major > > Our Solr deployments had a number of CVEs flagged due to shadowed > dependencies in some non-core components: > * htrace-core4 pulls in jackson-databind, and hasn't been updated in many > years since the project shut down around 2016. This leaves around 50 critical > CVEs — although it's not clear whether any of these are actually exploitable > in the Solr configuration it will generate a lot of noise for Solr users in > security-conscious environments. > This doesn't appear to be a hard dependency for Solr in normal use but I see > that the HBase project has a plan to replace it with a shim: > https://issues.apache.org/jira/browse/HBASE-24802 > * The test framework pulls in junit4-ant which has an old simple-xml > vulnerable to > [CVE-2017-1000190|https://nvd.nist.gov/vuln/detail/CVE-2017-1000190]: > /opt/solr-8.11.1/dist/test-framework/lib/junit4-ant-2.7.2.jar -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org