[ https://issues.apache.org/jira/browse/SOLR-13114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Cassandra Targett resolved SOLR-13114. -------------------------------------- Resolution: Invalid The vulnerability reported by the scanner is a false positive. It is not possible to exploit the vulnerability in this dependency in Solr. We have created a page that includes this and several other dependencies that are flagged and explains how they are not true vulnerabilities for Solr: https://wiki.apache.org/solr/SolrSecurity#Solr_and_Vulnerability_Scanning_Tools. This .jar is listed there. If you had discovered a real vulnerability, the ASF has created guidelines for how to report it, detailed here: https://www.apache.org/security/. Ideally, a report is sent to secur...@apache.org first, but if a JIRA is created first instead, you are encouraged to mark the issue as private so attack vectors are not exposed to the general public before they can be mitigated by the community in the form of patches or new releases. > CVE-2018-8009 Threat Level 7 Against Solr v7.6. org.apache.hadoop : > hadoop-common : 2.7.4. Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to > 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable > via the zip slip vulnerability > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: SOLR-13114 > URL: https://issues.apache.org/jira/browse/SOLR-13114 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 7.6 > Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7 but > this issue is from Sonatype component scan and should be independent of Linux > platform version. > Reporter: RobertHathaway > Priority: Blocker > > We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of > Solr - 7.6.0 Build, > Using Scanner 1.56.0-01 > Threat Level 7 Against Solr v7.6. org.apache.hadoop : hadoop-common : 2.7.4 > Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, > 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip > vulnerability in places that accept a zip file. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8009 -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org