[
https://issues.apache.org/jira/browse/SOLR-18082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069157#comment-18069157
]
Christos Malliaridis commented on SOLR-18082:
---------------------------------------------
Do we know which Solr version is affected by this / this issue refers to? I
believe it is resolved by aligning
org.glassfish.jersey.containers:jersey-container-jetty-http with the rest of
the jersey dependencies, as in https://github.com/apache/solr/pull/4244?
> Upgrade jersey version to 2.47 to fix CVE-2025-12383
> ----------------------------------------------------
>
> Key: SOLR-18082
> URL: https://issues.apache.org/jira/browse/SOLR-18082
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrJ
> Reporter: Isha Kunwar
> Priority: Major
> Labels: dependencies, pull-request-available
>
> [https://nvd.nist.gov/vuln/detail/CVE-2025-12383]
>
> In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause
> ignoring of critical SSL configurations - such as mutual authentication,
> custom key/trust stores, and other security settings. This issue may result
> in SSLHandshakeException under normal circumstances, but under certain
> conditions, it could lead to unauthorized trust in insecure servers (see PoC)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
