Hello, I only checked the Solr Docker image but I assume that
https://access.redhat.com/security/cve/CVE-2021-31879 affects only the Docker image as it refers to a security problem with command line tool "wget" which may be used in an updated (fixed) version when installing without the Docker image. I doubt that Solr itself calls "wget" – it's probably only used for setting up the Docker image. https://github.com/advisories/GHSA-jgvc-jfgh-rjvv is about a JAR dependency (org.bitbucket.b_c:jose4j) and thus a candidate for a real issue (though only severity "moderate"). I am hoping for confirmation from the Solr team that this is a "false positive" and Solr is not affected at all. Best Stefan From: Thomas Heldmann <thomas.heldm...@bsb-muenchen.de> Date: Monday, 21. August 2023 at 14:26 To: users@solr.apache.org <users@solr.apache.org> Subject: Antw: Solr Image 8.11.2 susceptible to CVE-2021-31879 and GHSA-jgvc-jfgh-rjvv [Sie erhalten nicht häufig E-Mails von thomas.heldm...@bsb-muenchen.de. Weitere Informationen, warum dies wichtig ist, finden Sie unter https://aka.ms/LearnAboutSenderIdentification ] Dear Mr Pieper, Do these security issues only affect Solr Docker image 8.11.2 or also Solr installations on local computers and SolrCloud installations on servers (= Solr Clusters)? Best regards, Thomas Heldmann -- Thomas Heldmann Bayerische Staatsbibliothek Verbundzentrale des Bibliotheksverbunds Bayern Leopoldstraße 240 80807 München Tel.: 089/28638-4153 E-Mail: thomas.heldm...@bsb-muenchen.de >>> "Pieper, Stefan" <stefan.pie...@coremedia.com.INVALID> schrieb am >>> 21.08.2023 um 13:39: > Hi, > > security scans on the Solr Docker image 8.11.2 show that this is susceptible > to these security issues: > > https://github.com/advisories/GHSA‑jgvc‑jfgh‑rjvv > https://access.redhat.com/security/cve/CVE‑2021‑31879 > > I am unable to find any information on possible impact and workarounds > on/for Solr. > > Do you have any insights to this? > > Thanks! > Stefan > > ‑‑ > Stefan Pieper > Senior Software Engineer > [A picture containing graphics, graphic design, font, logo Description > automatically generated]<https://www.coremedia.com/> > > Elevate Experience. Drive Impact. > > E‑Mail: stefan.pie...@coremedia.com<mailto:stefan.pie...@coremedia.com> > www.coremedia.com<https://www.coremedia.com/> > [A pink and red letter on a black background Description automatically > generated with low > confidence]<https://www.linkedin.com/company/coremedia‑corp/>[A logo of a > camera Description automatically generated with low > confidence]<https://www.instagram.com/coremediacc/>[A picture containing > colorfulness, screenshot, graphics, red Description automatically > generated]<https://www.youtube.com/channel/UC3u29ExYv1263SfUBWnsgdQ>[A pink > bird with wings Description automatically generated with low > confidence]<https://twitter.com/coremedia?lang=en> > [signature_59562659]<https://resources.ecovadis.com/library/ecovadis‑medals‑rec > ognizing‑our‑customers‑achievements> > ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ > CoreMedia GmbH > Rödingsmarkt 9, 20459 Hamburg, Germany > Managing Director: Sören Stamer > Commercial Register: Amtsgericht Hamburg, HRB 162480 > ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑
