[
https://issues.apache.org/jira/browse/SOLR-13109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cassandra Targett resolved SOLR-13109.
--------------------------------------
Resolution: Invalid
The vulnerability reported by the scanner is a false positive. It is not
possible to exploit the vulnerability in this dependency in Solr.
We have created a page that includes this and several other dependencies that
are flagged and explains how they are not true vulnerabilities for Solr:
https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools.
This .jar is listed there.
If you had discovered a real vulnerability, the ASF has created guidelines for
how to report it, detailed here: https://www.apache.org/security/. Ideally, a
report is sent to secur...@apache.org first, but if a JIRA is created first
instead, you are encouraged to mark the issue as private so attack vectors are
not exposed to the general public before they can be mitigated by the community
in the form of patches or new releases.
> CVE-2015-1832 Threat Level 9 Against Solr v7.6. org.apache.derby : derby :
> 10.9.1.0. XML external entity (XXE) vulnerability in the SqlXmlUtil code in
> Apache Derby before 10.12.1.1, w/o Java Security Manager, ...attackers to
> read arbitrary files or DOS
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-13109
> URL: https://issues.apache.org/jira/browse/SOLR-13109
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 7.6
> Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7
> but this issue is from Sonatype component scan and should be independent of
> Linux platform version.
> Reporter: RobertHathaway
> Priority: Blocker
>
> Threat Level 9/Critical from Sonatype Application Composition Report run Of
> Solr - 7.6.0, Using Scanner 1.56.0-01. Enterprise security won't allow us to
> move past Solr 6.5 unless this is fixed or somehow remediated. Lots of issues
> in Solr 7.1 also, may be best to move to latest Solr.
> h2. CVE-2015-1832 Detail
> h3. Current Description
> XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache
> Derby before 10.12.1.1, when a Java Security Manager is not in place, allows
> context-dependent attackers to read arbitrary files or cause a denial of
> service (resource consumption) via vectors involving XmlVTI and the XML
> datatype.
> h3. Impact
> *CVSS v3.0 Severity and Metrics:*
> *Base Score:* [ 9.1 CRITICAL
> |https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-1832&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H]
>
> *Vector:* AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H ([V3
> legend|https://www.first.org/cvss/specification-document])
> *Impact Score:* 5.2
> *Exploitability Score:* 3.9
> [https://nvd.nist.gov/vuln/detail/CVE-2015-1832]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
