This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 4c7d62b61 Automatic Site Publish by Buildbot
4c7d62b61 is described below
commit 4c7d62b61c92cb48ae2fa0bb708f6989d70dfd07
Author: buildbot <[email protected]>
AuthorDate: Thu Jan 19 12:31:05 2023 +0000
Automatic Site Publish by Buildbot
---
output/community.html | 8 +-
output/downloads.html | 2 +-
output/editing-website.html | 2 +-
output/features.html | 4 +-
output/guide/index.html | 2 +-
output/guide/solr-tutorial.html | 2 +-
output/index.html | 2 +-
output/logos-and-assets.html | 2 +-
output/news.html | 2 +-
output/operator/articles/explore-v030-gke.html | 2 +-
output/operator/artifacts.html | 2 +-
output/operator/community.html | 2 +-
output/operator/features.html | 2 +-
output/operator/index.html | 2 +-
output/operator/logos-and-assets.html | 2 +-
output/operator/news.html | 2 +-
output/operator/resources.html | 2 +-
output/resources.html | 4 +-
output/security.html | 389 ++++++++++++-
output/solr.vex.json | 738 +++++++++++++++++++++++++
output/whoweare.html | 2 +-
21 files changed, 1143 insertions(+), 32 deletions(-)
diff --git a/output/community.html b/output/community.html
index 9486d0dbd..5ede5510e 100644
--- a/output/community.html
+++ b/output/community.html
@@ -210,7 +210,7 @@ wealth of information about how to get the most out of the
IRC channels.</p>
Patches welcome! This is not the correct place to start when you need
support. Problems should be
discussed on the mailing list and/or via IRC before creating an issue.</p>
<h2 id="how-to-contribute">How To Contribute</h2>
-<p>Looking to contribute to Solr? Read the <a
href="https://cwiki.apache.org/confluence/display/SOLR/HowToContribute";>instructions</a>
on
+<p>Looking to contribute to Solr? Read the <a
href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md";>instructions</a>
on
contributing and then submit a patch!</p>
<h2 id="code-of-conduct">Code of Conduct</h2>
<p>For a large and diverse community like ours to be friendly, welcoming and
respectful, we recognize the need for some guidelines. The project follows <a
href="https://www.apache.org/foundation/policies/conduct";>Apache's Code of
Conduct statement</a>. Please take some time to read and understand it.</p>
@@ -232,9 +232,7 @@ No GIT client software is required.</p>
</code></pre></div>
<p>Then use GitHub's <a
href="https://docs.github.com/en/github/getting-started-with-github/fork-a-repo";>fork
feature</a>
-to obtain a personal fork from which you can later contribute your changes
through a
-<a
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#HowToContribute-WorkingwithGitHub";>Pull
Request</a>
-or a <a
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#HowToContribute-Generatingapatch";>patch
in Jira</a>.</p>
+to obtain a personal fork from which you can later contribute your changes
based on the <a
href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md";>how to
contribute</a> page.</p>
<p>You may alternatively choose to clone apache's git mirror at
<code>https://gitbox.apache.org/repos/asf/solr.git</code>.</p>
<h2 id="powered-by">Powered By</h2>
<p>Solr powers some of the most heavily-trafficked websites and applications
in the world. Here are some examples (alphabetical order):</p>
@@ -338,7 +336,7 @@ or a <a
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#H
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/downloads.html b/output/downloads.html
index 9a9370012..2f0b4493a 100644
--- a/output/downloads.html
+++ b/output/downloads.html
@@ -327,7 +327,7 @@ Due to the voluntary nature of Solr, no releases are
scheduled in advance.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/editing-website.html b/output/editing-website.html
index 6d56d8082..841e596c6 100644
--- a/output/editing-website.html
+++ b/output/editing-website.html
@@ -223,7 +223,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/features.html b/output/features.html
index 7fd3e013e..8c8ecf954 100644
--- a/output/features.html
+++ b/output/features.html
@@ -687,7 +687,7 @@
</div>
<div class="row">
<div class="centered">
- <a class="btn1"
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute";>How to
contribute</a>
+ <a class="btn1"
href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md";>How to
contribute</a>
<div>
</div>
</ul>
@@ -1081,7 +1081,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/guide/index.html b/output/guide/index.html
index 8f9e566e5..7563e12f1 100644
--- a/output/guide/index.html
+++ b/output/guide/index.html
@@ -219,7 +219,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/guide/solr-tutorial.html b/output/guide/solr-tutorial.html
index 9880f5b90..669cbbc29 100644
--- a/output/guide/solr-tutorial.html
+++ b/output/guide/solr-tutorial.html
@@ -190,7 +190,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/index.html b/output/index.html
index fe48aa289..fc858b608 100644
--- a/output/index.html
+++ b/output/index.html
@@ -419,7 +419,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/logos-and-assets.html b/output/logos-and-assets.html
index 7b18ce5a9..07334718b 100644
--- a/output/logos-and-assets.html
+++ b/output/logos-and-assets.html
@@ -243,7 +243,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/news.html b/output/news.html
index 346e13e13..4e5f0308e 100644
--- a/output/news.html
+++ b/output/news.html
@@ -3925,7 +3925,7 @@ file included with the release for a full list of
details.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/articles/explore-v030-gke.html
b/output/operator/articles/explore-v030-gke.html
index b9e21d6e7..ef6b337f3 100644
--- a/output/operator/articles/explore-v030-gke.html
+++ b/output/operator/articles/explore-v030-gke.html
@@ -1009,7 +1009,7 @@ Let’s us know, we’re on slack <a
href="https://kubernetes.slack.com/messages
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/artifacts.html b/output/operator/artifacts.html
index de68044da..0e6fa01b6 100644
--- a/output/operator/artifacts.html
+++ b/output/operator/artifacts.html
@@ -340,7 +340,7 @@ Source releases are provided for the operator, however
binaries are only provide
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/community.html b/output/operator/community.html
index 589b7cf85..0c3ef2126 100644
--- a/output/operator/community.html
+++ b/output/operator/community.html
@@ -233,7 +233,7 @@ to obtain a personal fork from which you can later
contribute your changes throu
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/features.html b/output/operator/features.html
index f3edf4e09..d51b5b920 100644
--- a/output/operator/features.html
+++ b/output/operator/features.html
@@ -391,7 +391,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/index.html b/output/operator/index.html
index b65cac7af..de3d7bf49 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -476,7 +476,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/logos-and-assets.html
b/output/operator/logos-and-assets.html
index 872927277..7344d991c 100644
--- a/output/operator/logos-and-assets.html
+++ b/output/operator/logos-and-assets.html
@@ -226,7 +226,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/news.html b/output/operator/news.html
index 70209e733..71c02942e 100644
--- a/output/operator/news.html
+++ b/output/operator/news.html
@@ -337,7 +337,7 @@ Make sure to run the new <code>make prepare</code> command
before submitting a P
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/operator/resources.html b/output/operator/resources.html
index 570fbacf8..1fbaaddca 100644
--- a/output/operator/resources.html
+++ b/output/operator/resources.html
@@ -231,7 +231,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/resources.html b/output/resources.html
index 81f3c0692..dcbc896c5 100644
--- a/output/resources.html
+++ b/output/resources.html
@@ -289,7 +289,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a
href="http://www.packtp
<p><a
href="http://www.packtpub.com/solr-3-1-enterprise-search-server-cookbook/book";>Buy
here</a></p>
<hr>
<h2 id="presentations">Presentations</h2>
-<p>If you have a Solr presentation that you would like to see listed here,
please submit a <a
href="https://cwiki.apache.org/confluence/display/solr/HowToContribute";>patch</a>
via a JIRA with the appropriate content.</p>
+<p>If you have a Solr presentation that you would like to see listed here,
please submit a <a
href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md";>patch</a> via a
JIRA with the appropriate content.</p>
<h3 class="offset" id="slideshare">Slideshare</h3>
<p><a href="http://www.slideshare.net/search/slideshow?&q=solr";>Search
Slideshare for Solr</a></p>
@@ -381,7 +381,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a
href="http://www.packtp
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/security.html b/output/security.html
index 517fe27b0..3568a6046 100644
--- a/output/security.html
+++ b/output/security.html
@@ -129,21 +129,22 @@
<p>Every CVE that is detected by a software scanner is by definition already
public knowledge. That means the Solr PMC and the rest of the world probably
already know about it.</p>
<p>To find a path forward in addressing a detected CVE we suggest the
following process for fastest results:</p>
<ol>
-<li>Check further down this page to see if the CVE is listed as exploitable in
Solr.</li>
-<li>Check the <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools";>officially
published non-exploitable vulnerabilities</a> list to see if the CVE is listed
as not exploitable in Solr.</li>
+<li>Check <a href="#recent-cve-reports-for-apache-solr">further down this
page</a> to see if the CVE is listed as exploitable in Solr.</li>
+<li>Check the <a href="#cve-reports-for-apache-solr-dependencies">officially
published non-exploitable vulnerabilities</a> list to see if the CVE is listed
as not exploitable in Solr.</li>
<li>Search through the <a
href="https://lists.apache.org/[email protected]";>Solr users
mailing list archive</a> to see if anyone else has brought up this dependency
CVE.</li>
<li>If no one has, then please do <a
href="https://solr.apache.org/community.html#mailing-lists-chat";>subscribe to
the users mailing list</a> and then send an email asking about the CVE.</li>
</ol>
<h4 id="dos-and-donts">Dos and Don'ts</h4>
<ul>
-<li>Please DO discuss the possible need for library upgrades on the user list.
</li>
+<li>Please DO discuss the possible need for library upgrades on the user
list.</li>
<li>Please DO search Jira for the CVE number to see if we are addressing it
already.</li>
<li>Please DO create Jira issues and associated pull requests to propose and
discuss upgrades of <em>a single specific</em> dependency.</li>
<li>Please DO NOT attach a scan report, or paste output of a scan into Jira
(just link the CVE instead)</li>
<li>Please DO NOT email the security email below with a scan report it will be
ignored.</li>
+<li>Please DO look into automating some of this with <a href="#vex">VEX</a>
and share your experience.</li>
</ul>
<h4 id="use-of-jira">Use of Jira</h4>
-<p>Jira is for discussing specific development modifications. Any Jira that
contains only scan report output, or references multiple dependencies at the
same time is likely to be ignored/closed. The large number of folks sending us
reports of things that are already known is a serious drag on our (volunteer)
time so <strong>please search Jira</strong> before opening a new issue. </p>
+<p>Jira is for discussing specific development modifications. Any Jira that
contains only scan report output, or references multiple dependencies at the
same time is likely to be ignored/closed. The large number of folks sending us
reports of things that are already known is a serious drag on our (volunteer)
time so <strong>please search Jira</strong> before opening a new issue.</p>
<h3 id="new-exploits-you-discover-in-solr">New Exploits <span
style="color:blue">You</span> Discover in Solr</h3>
<p>The Solr PMC greatly appreciates reports of new security vulnerabilities
found in Solr itself or demonstrations of exploiting vulnerabilities via
dependencies.
<strong>It is important not to publish a previously unknown exploit</strong>,
or exploit demonstration code on public mailing lists.
@@ -154,10 +155,31 @@ The contact email for reporting newly discovered exploits
in Solr is <a href="&#
<li><strong>Authentication</strong> - Exploits demonstrated without login
waste our time because Solr is not meant to run such that the entire world has
access to all of its APIs. Running without forcing users to log in is no more
valid than running linux with a widely known default root password, or a
database with a root account that has no password.</li>
<li><strong>Authorization</strong> - It is not an exploit unless the
authenticated user was configured with a role that should have prohibited the
action, or the action should never be allowed for any user regardless of role.
Your report should say why you think this action is not acceptable for the
role(s) you tested it with.</li>
</ol>
+<h4 id="vex">VEX</h4>
+<p>Since the process of checking whether CVEs in dependencies of Solr affect
your
+Solr deployment is tedious and error-prone, we are experimenting with sharing
+information about advisories that are known (not) to affect Solr in a
+machine-readable way.</p>
+<p>File formats to share this information are called 'VEX' formats. A number of
+such formats are under active development, such as based on
+<a href="https://cyclonedx.org/capabilities/vex/";>CycloneDX</a> and
+<a
href="https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md#45-profile-5-vex";>CSAF</a>.</p>
+<p>We are currently providing vulnerability information in a CycloneDX
JSON-based
+format <a href="/solr.vex.json">here</a>. We are very curious to hear about
your experience,
+and to find out what is still missing to reduce the signal/noise ratio and make
+these tools more effective. We invite you to join the discussion at the
+<a href="mailto:[email protected]";>security-discuss</a>
+<a href="https://www.apache.org/foundation/mailinglists.html";>mailinglist</a>
or,
+if you prefer to collaborate in private, contact
+<a href="mailto:[email protected]";>[email protected]</a>. It will likely
be interesting
+to know what security scanning/reporting tool you are using, exactly on which
+artifacts, and if/how its vendor appears to support VEX. We'd be happy to work
+with you to see if we can provide this information in other variations or
formats.</p>
<h3 id="more-information">More information</h3>
<p>You will find more security related information on our Wiki: <a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></p>
-<h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache
Solr</h1>
-<p>Below is a list of already announced CVE vulnerabilities. These are also
available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
+
+ <h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache
Solr</h1>
+ <p>Below is a list of already announced CVE vulnerabilities. These are also
available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
<table>
<tr>
@@ -658,6 +680,359 @@ dk from Chaitin Tech</p>
<li><a
href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity";>https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
</ul>
<hr/>
+ <h1 id="cve-reports-for-apache-solr-dependencies">CVE reports for Apache
Solr dependencies</h1>
+ <p>Below is a list of CVE vulnerabilities in Apache Solr dependencies, and
the state of their applicability to Solr.</p>
+ <p>We are currently experimenting with providing this information in a <a
href="#vex">machine-readable VEX format</a> and encourage you to
participate.</p>
+ <table>
+ <tr>
+ <th>id</th>
+ <th>versions</th>
+ <th>jars</th>
+ <th>state</th>
+ <th>detail</th>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33980";>CVE-2022-33980</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-configuration2-2.7.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-configuration2 for "hadoop-auth" only (for
Kerberos). It is only used for loading Hadoop configuration files that would
only ever be provided by trusted administrators, not externally
(untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889";>CVE-2022-42889</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-text-1.9.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which
uses commons-text through commons-configuration2. For Solr, the concern is
limited to loading Hadoop configuration files that would only ever be provided
by trusted administrators, not externally (untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168";>CVE-2022-25168</a>
</td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ hadoop-common-3.2.2.jar </td>
+ <td>not affected</td>
+ <td>The vulnerable code won't be used by Solr because Solr only is
only using HDFS as a client.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832";>CVE-2021-44832</a>
</td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
+ <td>not affected</td>
+ <td>Solr's default log configuration doesn't use JDBCAppender and we
don't imagine a user would want to use it or other obscure appenders.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105";>CVE-2021-45105</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046";>CVE-2021-45046</a>
</td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar
</td>
+ <td>not affected</td>
+ <td>The MDC data used by Solr are for the collection, shard, replica,
core and node names, and a potential trace id, which are all sanitized.
Furthermore, Solr's default log configuration doesn't use double-dollar-sign
and we don't imagine a user would want to do that.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13955";>CVE-2020-13955</a>
</td>
+ <td>
+ 8.1.0- today
+ </td>
+ <td>
+ avatica-core-1.13.0.jar, calcite-core-1.18.0.jar
</td>
+ <td>not affected</td>
+ <td>Solr's SQL adapter does not use the vulnerable class "HttpUtils".
Calcite only used it to talk to Druid or Splunk.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+ <td>
+ 5.4.0-today
+ </td>
+ <td>
+ carrot2-guava-18.0.jar </td>
+ <td>not affected</td>
+ <td>Only used with the Carrot2 clustering engine.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-0114";>CVE-2014-0114</a>
</td>
+ <td>
+ 4.9.0-7.5.0
+ </td>
+ <td>
+ commons-beanutils-1.8.3.jar </td>
+ <td>not affected</td>
+ <td>This is only used at compile time and it cannot be used to attack
Solr. Since it is generally unnecessary, the dependency has been removed as of
7.5.0. See SOLR-12617.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10086";>CVE-2019-10086</a>
</td>
+ <td>
+ 8.0.0-8.3.0
+ </td>
+ <td>
+ commons-beanutils-1.9.3.jar </td>
+ <td>not affected</td>
+ <td>While commons-beanutils was removed in 7.5, it was added back in
8.0 in error and removed again in 8.3. The vulnerable class was not used in any
Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-2098";>CVE-2012-2098</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1324";>CVE-2018-1324</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-11771";>CVE-2018-11771</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ commons-compress (only as part of Ant 1.8.2) </td>
+ <td>not affected</td>
+ <td>Only used in test framework and at build time.</td>
+ </tr>
+ <tr>
+ <td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";>CVE-2018-1000632</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ dom4j-1.6.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Solr tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237";>CVE-2018-10237</a>
</td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ guava-*.jar </td>
+ <td>not affected</td>
+ <td>Only used in tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15718";>CVE-2017-15718</a>
</td>
+ <td>
+ 6.6.1-7.6.0
+ </td>
+ <td>
+ hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all
Hadoop) </td>
+ <td>not affected</td>
+ <td>Does not impact Solr because Solr uses Hadoop as a client
library.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>
</td>
+ <td>
+ 6.0.0-7.5.0
+ </td>
+ <td>
+ icu4j-56.1.jar, icu4j-59.1.jar </td>
+ <td>not affected</td>
+ <td>Issue applies only to the C++ release of ICU and not ICU4J, which
is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15095";>CVE-2017-15095</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17485";>CVE-2017-17485</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7525";>CVE-2017-7525</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-5968";>CVE-2018-5968</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489";>CVE-2018-7489</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086";>CVE-2019-12086</a>, <a
href="https://nvd.nist.gov/ [...]
+ <td>
+ 4.7.0-today
+ </td>
+ <td>
+ jackson-databind-*.jar </td>
+ <td>not affected</td>
+ <td>These CVEs, and most of the known jackson-databind CVEs since
2017, are all related to problematic 'gadgets' that could be exploited during
deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See <a
href="https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062";>https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-y
[...]
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10241";>CVE-2019-10241</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247";>CVE-2019-10247</a>
</td>
+ <td>
+ 7.7.0-8.2
+ </td>
+ <td>
+ jetty-9.4.14 </td>
+ <td>not affected</td>
+ <td>Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally,
the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier
versions can manually patch their configurations as described in
SOLR-13409.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218";>CVE-2020-27218</a>
</td>
+ <td>
+ 7.3.0-8.8.0
+ </td>
+ <td>
+ jetty-9.4.0 to 9.4.34 </td>
+ <td>not affected</td>
+ <td>Only exploitable through use of Jetty's GzipHandler, which is only
implemented in Embedded Solr Server.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223";>CVE-2020-27223</a>
</td>
+ <td>
+ 7.3.0-present
+ </td>
+ <td>
+ jetty-9.4.6 to 9.4.36 </td>
+ <td>not affected</td>
+ <td>Only exploitable if Solr's webapp directory is deployed as a
symlink, which is not Solr's default.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33813";>CVE-2021-33813</a>
</td>
+ <td>
+ to present
+ </td>
+ <td>
+ jdom-*.jar </td>
+ <td>not affected</td>
+ <td>JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue.</td>
+ </tr>
+ <tr>
+ <td>
+<a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";>CVE-2018-1000056</a>
</td>
+ <td>
+ 4.6.0-7.6.0
+ </td>
+ <td>
+ junit-4.10.jar </td>
+ <td>not affected</td>
+ <td>JUnit only used in tests; CVE only refers to a Jenkins plugin not
used by Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-7940";>CVE-2014-7940</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-6293";>CVE-2016-6293</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2016-7415";>CVE-2016-7415</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952";>CVE-2017-14952</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-17484";>CVE-2017-17484</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-7867";>CVE-2017-7867</a>, <a
href="https://nvd.nist.gov/vu [...]
+ <td>
+ 7.3.1
+ </td>
+ <td>
+ lucene-analyzers-icu-7.3.1.jar </td>
+ <td>not affected</td>
+ <td>All of these issues apply to the C++ release of ICU and not ICU4J,
which is what Lucene uses.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16869";>CVE-2019-16869</a>
</td>
+ <td>
+ 8.2-8.3
+ </td>
+ <td>
+ netty-all-4.1.29.Final.jar </td>
+ <td>not affected</td>
+ <td>This is not included in Solr but is a dependency of ZooKeeper
3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The
specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as
far as the Solr community can determine).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14868";>CVE-2017-14868</a>,
<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14949";>CVE-2017-14949</a>
</td>
+ <td>
+ 5.2.0-today
+ </td>
+ <td>
+ org.restlet-2.3.0.jar </td>
+ <td>not affected</td>
+ <td>Solr should not be exposed outside a firewall where bad actors can
send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2015-5237";>CVE-2015-5237</a>
</td>
+ <td>
+ 6.5.0-today
+ </td>
+ <td>
+ protobuf-java-3.1.0.jar </td>
+ <td>not affected</td>
+ <td>Dependency for Hadoop and Calcite. ??</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1471";>CVE-2018-1471</a>
</td>
+ <td>
+ 5.4.0-7.7.2, 8.0-8.3
+ </td>
+ <td>
+ simple-xml-2.7.1.jar </td>
+ <td>not affected</td>
+ <td>Dependency of Carrot2 and used during compilation, not at runtime
(see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see
SOLR-13779).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8088";>CVE-2018-8088</a>
</td>
+ <td>
+ 4.x-today
+ </td>
+ <td>
+ slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar,
jul-to-slf4j-1.7.24.jar </td>
+ <td>not affected</td>
+ <td>The reported CVE impacts org.slf4j.ext.EventData, which is not
used in Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>
</td>
+ <td>
+ 7.3.1-7.5.0
+ </td>
+ <td>
+ tika-core.1.17.jar </td>
+ <td>not affected</td>
+ <td>Solr does not run tika-server, so this is not a problem.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+ <td>
+ 7.3.1-today
+ </td>
+ <td>
+ tika-core.*.jar </td>
+ <td>not affected</td>
+ <td>All Tika issues that could be Solr vulnerabilities would only be
exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-";>CVE-</a> </td>
+ <td>
+ 6.6.2-today
+ </td>
+ <td>
+ velocity-tools-2.0.jar </td>
+ <td>not affected</td>
+ <td>Solr does not ship a Struts jar. This is a transitive POM listing
and not included with Solr (see comment in SOLR-2849).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809";>CVE-2016-6809</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335";>CVE-2018-1335</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1338";>CVE-2018-1338</a>, <a
href="https://nvd.nist.gov/vuln/detail/CVE-2018-1339";>CVE-2018-1339</a>
</td>
+ <td>
+ 5.5.5, 6.2.0-today
+ </td>
+ <td>
+ vorbis-java-tika-0.8.jar </td>
+ <td>not affected</td>
+ <td>See <a
href="https://github.com/Gagravarr/VorbisJava/issues/30";>https://github.com/Gagravarr/VorbisJava/issues/30</a>;
reported CVEs are not related to OggVorbis at all.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-0881";>CVE-2012-0881</a>
</td>
+ <td>
+ ~2.9-today
+ </td>
+ <td>
+ xercesImpl-2.9.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Lucene Benchmarks and Solr tests.</td>
+ </tr>
+ </table>
</div>
</div>
</div>
@@ -731,7 +1106,7 @@ dk from Chaitin Tech</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
diff --git a/output/solr.vex.json b/output/solr.vex.json
new file mode 100644
index 000000000..d7e3fe61c
--- /dev/null
+++ b/output/solr.vex.json
@@ -0,0 +1,738 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.4",
+ "version": 1,
+ "metadata": {
+ "component": {
+ "name": "solr",
+ "version": "SNAPSHOT",
+ "type": "application",
+ "bom-ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "id": "CVE-2022-33980",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only
(for Kerberos). It is only used for loading Hadoop configuration files that
would only ever be provided by trusted administrators, not externally
(untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-42889",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop
which uses commons-text through commons-configuration2. For Solr, the concern
is limited to loading Hadoop configuration files that would only ever be
provided by trusted administrators, not externally (untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-25168",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The vulnerable code won't be used by Solr because Solr only
is only using HDFS as a client."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-44832",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's default log configuration doesn't use JDBCAppender
and we don't imagine a user would want to use it or other obscure appenders."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45105",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45046",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-13955",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's SQL adapter does not use the vulnerable class
\"HttpUtils\". Calcite only used it to talk to Druid or Splunk."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used with the Carrot2 clustering engine."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-0114",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is only used at compile time and it cannot be used to
attack Solr. Since it is generally unnecessary, the dependency has been removed
as of 7.5.0. See SOLR-12617."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10086",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "While commons-beanutils was removed in 7.5, it was added
back in 8.0 in error and removed again in 8.3. The vulnerable class was not
used in any Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-2098",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1324",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-11771",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000632",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15718",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Does not impact Solr because Solr uses Hadoop as a client
library."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Issue applies only to the C++ release of ICU and not ICU4J,
which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0"
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15095",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17485",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7525",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-5968",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-7489",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12086",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12384",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-12814",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14379",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14439",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35490",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35491",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-20190",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14540",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10241",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10247",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27218",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable through use of Jetty's GzipHandler, which
is only implemented in Embedded Solr Server."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27223",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable if Solr's webapp directory is deployed as
a symlink, which is not Solr's default."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-33813",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000056",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JUnit only used in tests; CVE only refers to a Jenkins
plugin not used by Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-7940",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6293",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-7415",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17484",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7867",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7868",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16869",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is not included in Solr but is a dependency of
ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with
Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor
in ZooKeeper as far as the Solr community can determine)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14868",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14949",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2015-5237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency for Hadoop and Calcite. ??"
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1471",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency of Carrot2 and used during compilation, not at
runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to
7.7.3 (see SOLR-13779)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-8088",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The reported CVE impacts org.slf4j.ext.EventData, which is
not used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not run tika-server, so this is not a problem."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All Tika issues that could be Solr vulnerabilities would
only be exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not ship a Struts jar. This is a transitive POM
listing and not included with Solr (see comment in SOLR-2849)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6809",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1338",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1339",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-0881",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Lucene Benchmarks and Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-39135",
+ "analysis": {
+ "state": "exploitable",
+ "response": [
+ "update"
+ ],
+ "detail": "Apache Calcite has a vulnerability, CVE-2022-39135, that is
exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply
SQL queries to Solr's '/sql' handler (even indirectly via proxies / other
apps), then the user could perform an XML External Entity (XXE) attack. This
might have been exposed by some deployers of Solr in order for internal
analysts to use JDBC based tooling, but would have unlikely been granted to
wider audiences."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/output/whoweare.html b/output/whoweare.html
index 11df0751b..714b37311 100644
--- a/output/whoweare.html
+++ b/output/whoweare.html
@@ -258,7 +258,7 @@ have direct write access to the source repositories.
Developers may be invited a
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0";>Apache License,
Version 2.0</a>. <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy
Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software
Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache
Software Foundation.
