...
The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.
Solr Versions | Jar or Path | Related CVEs | Date Added | Status & Notes |
---|---|---|---|---|
7.3.1-7.5.0 |
| 2018-1335 | 6 Jun 2018 | Solr does not run tika-server, so this is not a problem. |
7.3.1-7.5.0 |
| 2018-1338, 2018-1339 | 6 Jun 2018 | These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4. |
4.7.0-7.3.1 |
| 2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489 | 6 Jun 2018 | Jackson was upgraded to 2.9.5 in Solr 7.4. |
7.3.1 |
| 2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868 | 6 Jun 2018 | All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses. |
6.0.0-7.5.0 |
| 2017-14952 | 6 Jun 2018 | Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0 |
6.6.1-7.6.0 |
| 6 Jun 2018 | Does not impact Solr because Solr uses Hadoop as a client library. | |
4.9.0-7.5.0 |
| 2014-0114 | 6 Jun 2018 | This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. |
5.5.5, 6.2.0-today |
| 2016-6809, 2018-1335, 2018-1338, 2018-1339 | 6 Jun 2018 | See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all. |
~2.9-today |
| 6 Jun 2018 | Only used in Lucene Benchmarks and Solr tests. | |
6.6.2-today |
| 3 Nov 2018 | Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849). | |
6.5.0-today |
| 3 Nov 2018 | Dependency for Hadoop and Calcite. ?? | |
4.6.0-today |
| 3 Nov 2018 | Used only in DataImportHandler tests and example implementation, which should not be used in production. | |
4.6.0-7.6.0 |
| 2018-1000056 | 31 Dec 2018 | JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr. |
4.6.0-today |
| 2018-1000632 | 31 Dec 2018 | Only used in Solr tests. |
5.2.0-today |
| 2017-14868, 2017-14949 | 31 Dec 2018 | Solr should not be exposed outside a firewall where bad actors can send HTTP requests. |
4.6.0-today |
| 2012-2098, 2018-1324, 2018-11771 | 31 Dec 2018 | Only used in test framework and at build time. |
5.4.0-today |
| 2018-10237 | 31 Dec 2018 | Only used with the Carrot2 clustering engine. |
4.6.0-today |
| 2018-10237 | 31 Dec 2018 | ?? |
5.4.0-today |
| 2018-1471 | 3 Jan 2019 | Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769). |
4.x-today |
| 2018-8088 | 6 Feb 2019 | The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr. |
7.7.0-8.2 | jetty-9.4.14 | 2019-10241, 2019-10247 | 18 Oct 2019 | Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409. |