[
https://issues.apache.org/jira/browse/SOLR-16333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577584#comment-17577584
]
Jan Høydahl commented on SOLR-16333:
------------------------------------
As a general rule, the Solr PMC will not accept the output of a vulnerability
scan as a security report.
Please do not upen issues on unconfirmed bugs. See
[https://solr.apache.org/security.html] and always check the list of false
positives first:
[https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools.]
The existence of a CVE in one of Solr's dependencies does not mean that Solr is
vulnerable. We encourage you as a user to explan why you believe the reported
CVE to be a real issue for Solr. We appreciate if you do that for each of the
Solr JIRAs you recently reported. This is a great way for you to contribute to
help this open source project. Another way is to provide a Pull Request with
actual upgrades of dependency libraries.
> CVE-2021-22569 | CVSS 7 | com.google.protobuf_protobuf-java
> -----------------------------------------------------------
>
> Key: SOLR-16333
> URL: https://issues.apache.org/jira/browse/SOLR-16333
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 9.0, 8.11.2
> Reporter: Chris Sabelstrom
> Priority: Major
> Attachments: image-2022-08-09-10-14-07-215.png
>
>
> Our security scanner detected the following vulnerability. Please upgrade to
> version noted in Status column. Please fix this for 8.11 as well as 9.0.
> !image-2022-08-09-10-14-07-215.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
