[
https://issues.apache.org/jira/browse/SOLR-13109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
RobertHathaway updated SOLR-13109:
----------------------------------
Description:
Threat Level 9/Critical from Sonatype Application Composition Report run Of
Solr - 7.6.0, Using Scanner 1.56.0-01. Enterprise security won't allow us to
move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues
in Solr 7.1 also, may be best to move to latest Solr.
h2. CVE-2015-1832 Detail
h3. Current Description
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby
before 10.12.1.1, when a Java Security Manager is not in place, allows
context-dependent attackers to read arbitrary files or cause a denial of
service (resource consumption) via vectors involving XmlVTI and the XML
datatype.
h3. Impact
*CVSS v3.0 Severity and Metrics:*
*Base Score:* [ 9.1 CRITICAL
|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
*Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3
legend|https://www.first.org/cvss/specification-document])
*Impact Score:* 5.2
*Exploitability Score:* 3.9
[https://nvd.nist.gov/vuln/detail/CVE-2015-1832]
was:
Threat Level 9/Critical from Sonatype Applicatiuon Composition Report run Of
Solr - 7.6.0, Using Scanner 1.56.0-01. Enterprise security won't allow us to
move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues
in Solr 7.1 also, may be best to move to latest Solr.
h2. CVE-2015-1832 Detail
h3. Current Description
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby
before 10.12.1.1, when a Java Security Manager is not in place, allows
context-dependent attackers to read arbitrary files or cause a denial of
service (resource consumption) via vectors involving XmlVTI and the XML
datatype.
h3. Impact
*CVSS v3.0 Severity and Metrics:*
*Base Score:* [ 9.1 CRITICAL
|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
*Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3
legend|https://www.first.org/cvss/specification-document])
*Impact Score:* 5.2
*Exploitability Score:* 3.9
https://nvd.nist.gov/vuln/detail/CVE-2015-1832
> CVE-2015-1832 Against Solr v7.6
> -------------------------------
>
> Key: SOLR-13109
> URL: https://issues.apache.org/jira/browse/SOLR-13109
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 7.6
> Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7
> but this issue is from Sonatype component scan and should be independent of
> Linux platform version.
> Reporter: RobertHathaway
> Priority: Blocker
>
> Threat Level 9/Critical from Sonatype Application Composition Report run Of
> Solr - 7.6.0, Using Scanner 1.56.0-01. Enterprise security won't allow us to
> move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues
> in Solr 7.1 also, may be best to move to latest Solr.
> h2. CVE-2015-1832 Detail
> h3. Current Description
> XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache
> Derby before 10.12.1.1, when a Java Security Manager is not in place, allows
> context-dependent attackers to read arbitrary files or cause a denial of
> service (resource consumption) via vectors involving XmlVTI and the XML
> datatype.
> h3. Impact
> *CVSS v3.0 Severity and Metrics:*
> *Base Score:* [ 9.1 CRITICAL
> |https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
>
> *Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3
> legend|https://www.first.org/cvss/specification-document])
> *Impact Score:* 5.2
> *Exploitability Score:* 3.9
> [https://nvd.nist.gov/vuln/detail/CVE-2015-1832]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
