[ https://issues.apache.org/jira/browse/OAK-9520?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nitin Gupta resolved OAK-9520. ------------------------------ Resolution: Fixed > CVE-2021-29262 in oak-solr-osgi > -------------------------------- > > Key: OAK-9520 > URL: https://issues.apache.org/jira/browse/OAK-9520 > Project: Jackrabbit Oak > Issue Type: Bug > Reporter: Nitin Gupta > Assignee: Nitin Gupta > Priority: Major > Fix For: 1.42.0 > > > Vulnerability in: org.apache.solr : solr-solrj : 8.6.3 > CVE-2021-29262 > > {code:java} > When starting Apache Solr versions prior to 8.8.2, configured with the > SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no > existing security.json znode, if the optional read-only user is configured > then Solr would not treat that node as a sensitive path and would allow it to > be readable. Additionally, with any ZkACLProvider, if the security.json is > already present, Solr will not automatically update the ACLs. > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)