sujeeth62 opened a new issue, #570:
URL: https://github.com/apache/solr-operator/issues/570
Following are the CVE reported on Solr v0.7.0:
1.CVE-2023-29400: Templates containing actions in unquoted HTML attributes
(e.g. "attr={{.}}") executed with empty input can result in output with
unexpected results when parsed due to HTML normalization rules. This may allow
injection of arbitrary attributes into tags.
2. CVE-2023-24540: Not all valid JavaScript whitespace characters are
considered to be whitespace. Templates containing whitespace characters outside
of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that
also contain actions may not be properly sanitized during execution.
3. CVE-2023-24539: Angle brackets (<>) are not considered dangerous
characters when inserted into CSS contexts. Templates containing multiple
actions separated by a '/' character can result in unexpectedly closing the CSS
context and allowing for injection of unexpected HTML, if executed with
untrusted input.
Solr-Operator images needs to be updated to 1.19.9,1.20.4 inorder to fix
above version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
