[
https://issues.apache.org/jira/browse/SOLR-16285?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17621376#comment-17621376
]
David Smiley commented on SOLR-16285:
-------------------------------------
Wether this is a security issue or not entirely depends on if the file is
"trusted" or not. Otherwise, it's a feature (it's why this ability is there in
the first place). Commons-configuration is only used by Solr for Hadoop-Auth
for files that would only by authored by trusted admins. I'll update
https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity accordingly.
> [CVE-2022-33980] Apache Commons Configuration performs variable
> interpolation, allowing properties to be dynamically evaluated and expanded
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-16285
> URL: https://issues.apache.org/jira/browse/SOLR-16285
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: zhao tao
> Assignee: Kevin Risden
> Priority: Major
> Labels: security
>
> Apache Commons Configuration performs variable interpolation, allowing
> properties to be dynamically evaluated and expanded
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980]
> org.apache.commons:commons-configuration2:2.7 should be update to 2.8.0
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
