This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 38fe4e5c6 Automatic Site Publish by Buildbot
38fe4e5c6 is described below
commit 38fe4e5c6995b9d9b558783be298d0610f2ce7ac
Author: buildbot <[email protected]>
AuthorDate: Thu May 16 11:26:40 2024 +0000
Automatic Site Publish by Buildbot
---
output/resources.html | 2 +-
output/security.html | 11 ++
output/solr.vex.json | 394 ++++++++++++++++++++++++++++++++++++++++++--------
3 files changed, 345 insertions(+), 62 deletions(-)
diff --git a/output/resources.html b/output/resources.html
index 45ea09fd7..eea6675af 100644
--- a/output/resources.html
+++ b/output/resources.html
@@ -143,7 +143,7 @@
<p><a href="/guide/solr-tutorial.html">Solr Quick Start</a></p>
</li>
<li>
-<p><a
href="https://github.com/docker-solr/docker-solr#getting-started-with-the-docker-image";>Solr
on Docker</a></p>
+<p><a href="/guide/solr/latest/deployment-guide/solr-in-docker.html">Solr on
Docker</a></p>
</li>
<li>
<p><a href="/operator/resources.html#tutorials">Solr on Kubernetes</a></p>
diff --git a/output/security.html b/output/security.html
index af101b8e5..c2fc4e231 100644
--- a/output/security.html
+++ b/output/security.html
@@ -997,6 +997,17 @@ Github user <code>s00py</code></p>
<td>not affected</td>
<td>Only used in Lucene Benchmarks and Solr tests.</td>
</tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-51074";>CVE-2023-51074</a>,
GHSA-pfh2-hfmq-phg5 </td>
+ <td>
+ all
+ </td>
+ <td>
+ json-path-2.8.0.jar </td>
+ <td>not affected</td>
+ <td>The only places we use json-path is for querying (via Calcite) and
for transforming/indexing custom JSON. Since the advisory describes a problem
that is limited to the current thread, and users that are allowed to
query/transform/index are already trusted to cause load to some extent, this
advisory does not appear to have impact on the way json-path is used in
Solr.</td>
+ </tr>
</table>
</div>
</div>
diff --git a/output/solr.vex.json b/output/solr.vex.json
index d7e3fe61c..ef5a19533 100644
--- a/output/solr.vex.json
+++ b/output/solr.vex.json
@@ -7,720 +7,960 @@
"name": "solr",
"version": "SNAPSHOT",
"type": "application",
- "bom-ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "bom-ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
},
"vulnerabilities": [
{
"id": "CVE-2022-33980",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33980";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only
(for Kerberos). It is only used for loading Hadoop configuration files that
would only ever be provided by trusted administrators, not externally
(untrusted)."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2022-42889",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr uses commons-text directly
(StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not
vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop
which uses commons-text through commons-configuration2. For Solr, the concern
is limited to loading Hadoop configuration files that would only ever be
provided by trusted administrators, not externally (untrusted)."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2022-25168",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168";
+ },
"analysis": {
"state": "not_affected",
"detail": "The vulnerable code won't be used by Solr because Solr only
is only using HDFS as a client."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2021-44832",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44832";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr's default log configuration doesn't use JDBCAppender
and we don't imagine a user would want to use it or other obscure appenders."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2021-45105",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45105";
+ },
"analysis": {
"state": "not_affected",
"detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2021-45046",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046";
+ },
"analysis": {
"state": "not_affected",
"detail": "The MDC data used by Solr are for the collection, shard,
replica, core and node names, and a potential trace id, which are all
sanitized. Furthermore, Solr's default log configuration doesn't use
double-dollar-sign and we don't imagine a user would want to do that."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2020-13955",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13955";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr's SQL adapter does not use the vulnerable class
\"HttpUtils\". Calcite only used it to talk to Druid or Splunk."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-10237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used with the Carrot2 clustering engine."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2014-0114",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114";
+ },
"analysis": {
"state": "not_affected",
"detail": "This is only used at compile time and it cannot be used to
attack Solr. Since it is generally unnecessary, the dependency has been removed
as of 7.5.0. See SOLR-12617."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-10086",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086";
+ },
"analysis": {
"state": "not_affected",
"detail": "While commons-beanutils was removed in 7.5, it was added
back in 8.0 in error and removed again in 8.3. The vulnerable class was not
used in any Solr code path. This jar remains a dependency of both Velocity and
hadoop-common, but Solr does not use it in our implementations."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2012-2098",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2098";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in test framework and at build time."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1324",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1324";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in test framework and at build time."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-11771",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11771";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in test framework and at build time."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1000632",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000632";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in Solr tests."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-10237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in tests."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-15718",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15718";
+ },
"analysis": {
"state": "not_affected",
"detail": "Does not impact Solr because Solr uses Hadoop as a client
library."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-14952",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952";
+ },
"analysis": {
"state": "not_affected",
"detail": "Issue applies only to the C++ release of ICU and not ICU4J,
which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0"
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-15095",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15095";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-17485",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-7525",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-5968",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5968";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-7489",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-12086",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-12384",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-12814",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12814";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-14379",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-14439",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14439";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2020-35490",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35490";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2020-35491",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2021-20190",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-14540",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14540";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-16335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335";
+ },
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs
since 2017, are all related to problematic 'gadgets' that could be exploited
during deserialization of untrusted data. The Jackson developers described 4
conditions that must be met in order for a problematic gadget to be exploited.
See
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062.
Solr's use of jackson-databind does not meet 1 of the 4 conditions described
[...]
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-10241",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-10247",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10247";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release.
Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and
7.7.2. Earlier versions can manually patch their configurations as described in
SOLR-13409."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2020-27218",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27218";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only exploitable through use of Jetty's GzipHandler, which
is only implemented in Embedded Solr Server."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2020-27223",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only exploitable if Solr's webapp directory is deployed as
a symlink, which is not Solr's default."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2021-33813",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33813";
+ },
"analysis": {
"state": "not_affected",
"detail": "JDOM is only used in Solr Cell, which should not be used in
production which makes the vulnerability unexploitable. It is a dependency of
Apache Tika, which has analyzed the issue and determined the vulnerability is
limited to two libraries not commonly used in search applications, see
TIKA-3488 for details. Since Tika should be used outside of Solr, use a version
of Tika which updates the affected libraries if concerned about exposure to
this issue."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1000056",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000056";
+ },
"analysis": {
"state": "not_affected",
"detail": "JUnit only used in tests; CVE only refers to a Jenkins
plugin not used by Solr."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2014-7940",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7940";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2016-6293",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6293";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2016-7415",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7415";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-14952",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14952";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-17484",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17484";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-7867",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7867";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-7868",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7868";
+ },
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not
ICU4J, which is what Lucene uses."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2019-16869",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869";
+ },
"analysis": {
"state": "not_affected",
"detail": "This is not included in Solr but is a dependency of
ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with
Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor
in ZooKeeper as far as the Solr community can determine)."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-14868",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14868";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2017-14949",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14949";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr should not be exposed outside a firewall where bad
actors can send HTTP requests. These two CVEs specifically involve classes
(SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use
in any code path."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2015-5237",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5237";
+ },
"analysis": {
"state": "not_affected",
"detail": "Dependency for Hadoop and Calcite. ??"
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1471",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1471";
+ },
"analysis": {
"state": "not_affected",
"detail": "Dependency of Carrot2 and used during compilation, not at
runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to
7.7.3 (see SOLR-13779)."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-8088",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088";
+ },
"analysis": {
"state": "not_affected",
"detail": "The reported CVE impacts org.slf4j.ext.EventData, which is
not used in Solr."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1335";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr does not run tika-server, so this is not a problem."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-";
+ },
"analysis": {
"state": "not_affected",
"detail": "All Tika issues that could be Solr vulnerabilities would
only be exploitable if untrusted files are indexed with SolrCell. This is not
recommended in production systems, so Solr does not consider these valid CVEs
for Solr."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-";
+ },
"analysis": {
"state": "not_affected",
"detail": "Solr does not ship a Struts jar. This is a transitive POM
listing and not included with Solr (see comment in SOLR-2849)."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2016-6809",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6809";
+ },
"analysis": {
"state": "not_affected",
"detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1335",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1335";
+ },
"analysis": {
"state": "not_affected",
"detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1338",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1338";
+ },
"analysis": {
"state": "not_affected",
"detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2018-1339",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1339";
+ },
"analysis": {
"state": "not_affected",
"detail": "See https://github.com/Gagravarr/VorbisJava/issues/30;
reported CVEs are not related to OggVorbis at all."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2012-0881",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0881";
+ },
"analysis": {
"state": "not_affected",
"detail": "Only used in Lucene Benchmarks and Solr tests."
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
},
{
"id": "CVE-2022-39135",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39135";
+ },
"analysis": {
"state": "exploitable",
"response": [
@@ -730,7 +970,39 @@
},
"affects": [
{
- "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2023-51074",
+ "source": {
+ "name": "NVD",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51074";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The only places we use json-path is for querying (via
Calcite) and for transforming/indexing custom JSON. Since the advisory
describes a problem that is limited to the current thread, and users that are
allowed to query/transform/index are already trusted to cause load to some
extent, this advisory does not appear to have impact on the way json-path is
used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
+ }
+ ]
+ },
+ {
+ "id": "GHSA-pfh2-hfmq-phg5",
+ "source": {
+ "name": "GITHUB",
+ "url": "https://github.com/advisories/GHSA-pfh2-hfmq-phg5";
+ },
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The only places we use json-path is for querying (via
Calcite) and for transforming/indexing custom JSON. Since the advisory
describes a problem that is limited to the current thread, and users that are
allowed to query/transform/index are already trusted to cause load to some
extent, this advisory does not appear to have impact on the way json-path is
used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "24c354b2-068e-5094-8552-fd058faed8dc"
}
]
}
