Hi, Here is our security advisory regarding this issue: https://solr.apache.org/security.html#cve-2020-13941-apache-solr-information-disclosure-vulnerability
There will not be any 6.x. releases. We encourage you to upgrade to latest Solr version. If you upgrade, you should not upgrade to 8.6, but to latest 8.11.x version. You may of course patch and build Solr yourself and run using a custom patched version, but that would likely be more work than doing the upgrade. Jan > 28. jan. 2022 kl. 11:25 skrev rashi gandhi <[email protected]>: > > Hi All, > > Recently due to the log4j vulnerability, our security team warns us of this > "CVE-2020-13941" that was reported somewhere in 2020. Sharing some details > on CVE: > > "" Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), > released in Solr version 8.6.0. The Replication handler ( > https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) > allows commands backup, restore and deleteBackup. Each of these take a > location parameter, which was not validated, i.e you could read/write to > any location the solr user can access. "" > > Fix has been provided in Solr 8.6 however we cant currently be in > position to either upgrade to 8.6 or lockdown our Solr instances. > My team is using Solr 6.4.2 in production and would appreciate a quick fix > or patch to fix this problem. > Does anyone have any ideas ? > > Thanks, > Rashi
