[
https://issues.apache.org/jira/browse/SOLR-17825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18049825#comment-18049825
]
Jan Høydahl commented on SOLR-17825:
------------------------------------
Beanutils is pulled in through Cross-DC manager's kafka dependency.
{code:java}
+--- project :solr:cross-dc-manager
| +--- org.apache.kafka:kafka_2.13:3.9.1
| | +--- commons-validator:commons-validator:1.7
| | | +--- commons-beanutils:commons-beanutils:1.9.4
{code}
I checked, and even the latest version of kafka_2.13
https://mvnrepository.com/artifact/org.apache.kafka/kafka_2.13 depends on the
same beanutils version:
{code:java}
+--- org.apache.kafka:kafka_2.13:4.1.1
| +--- commons-validator:commons-validator:1.9.0
| | +--- commons-beanutils:commons-beanutils:1.9.4 {code}
So I guess your request should go to kafka project or the commons project to
get the beanutils upgraded. You could always try to force upgrade the
transitive dep inside of Solr and see if all tests still run, but it is
preferable to pull it in through our 1st party deps.
> Upgrade commons-beanutils jar to 1.11.0+ to fix CVE-2025-48734
> ---------------------------------------------------------------
>
> Key: SOLR-17825
> URL: https://issues.apache.org/jira/browse/SOLR-17825
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.8.1
> Reporter: Dhoka Pramod
> Priority: Critical
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
