Not sure where the Docker image came from, but according to: https://issues.apache.org/jira/browse/SOLR-13818
Jackson was upgraded to 2.10.0 in Solr 8.4. > On Jul 21, 2020, at 2:59 PM, Man with No Name <pinkeshsharm...@gmail.com> > wrote: > > Hey Guys, > Our team is using Solr 8.4.1 in a kubernetes cluster using the public image > from docker hub. The containers before getting deployed to the cluster > get whitescanned and it lists all the CVEs in the container. This is list > of CVE we have for Solr > > CVE-2020-11619, CVE-2020-11620, CVE-2020-8840, CVE-2019-10088, > CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, > CVE-2020-11113, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, > CVE-2020-14195, CVE-2019-10094, CVE-2019-12402 > > Most of the CVEs are because of the old version of Jackson-databind, and it > has been fixed in the 2.9.10.4 version. So what would be the best way to > report this and to get it fixed? > > > CVE is a list of entries — each containing an identification number, a > description, and at least one public reference — for publicly known > cybersecurity vulnerabilities. > > -- > Regards: > Pinkesh Sharma
