...
Date | CVE | Title | Impacted Versions | Mitigation | Links | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2020-10-12 | CVE-2020-13957 | The checks added to unauthenticated configset uploads can be circumvented | 6.6.0 to 6.6.5 7.0.0 to 7.7.3 8.0.0 to 8.6.2 | Can only be mitigated with either Solr upgrade or start argument change. | Jira issues: SOLR-14925 and SOLR-14663 | ||||||||||
2020-08-14 | CVE-2020-13941 | The Replication handler can expose information it shouldn't | < 8.6 | Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr's replication handler. | |||||||||||
2019-12-30 | CVE-2019-17558 | RCE vulnerability through VelocityResponseWriter | 5.0.0-8.3.1 | Can only be mitigated with either Solr upgrade or a configuration change. | Jira issues: SOLR-13971 and SOLR-14025 | ||||||||||
2019-11-18 | CVE-2019-12409 | RCE vulnerability due to bad config default | 8.1.1-8.2.0 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue:
| ||||||||||
2019-09-09 | CVE-2019-12401 | XML Bomb in Apache Solr versions prior to 5.0 | 1.3.0-1.4.1 3.1.0-3.6.2 4.0.0-4.10.4 | Can only be mitigated with Solr upgrade. | Jira issue: SOLR-13750 | ||||||||||
2019-07-31 | CVE-2019-0193 | Remote Code Execution via DataImportHandler | all up to 8.2.0 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-13669 | ||||||||||
2019-03-06 | CVE-2019-0192 | Deserialization of untrusted data via jmx.serviceUrl | 5.0.0-5.5.5 6.0.0-6.6.5 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-13301 | ||||||||||
2019-02-12 | CVE-2017-3164 | SSRF issue in Apache Solr | 1.3.0-7.6.0 | Can only be mitigated with Solr upgrade. | Jira issue: SOLR-12770 | ||||||||||
2018-04-08 | CVE-2018-1308 | XXE attack through DIH's dataConfig request parameter | 1.2-6.6.2 7.0.0-7.2.1 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issue: SOLR-11971 | ||||||||||
2017-10-26 | CVE-2016-6809 | Arbitrary Code Execution Vulnerabilty in Apache Tika | 1.2-6.6.1 7.0 | This vulnerability is with Apache Tika versions earlier than 1.14. A Tika dependency update was released in Solr 6.6.2 and Solr 7.1. Can only be mitigated with Solr upgrade. | Jira issue: SOLR-10335 | ||||||||||
2017-10-18 | CVE-2017-12629 | Several XXE & RCE vulnerabilities in Apache Solr | 5.5.0-5.5.4 6.0.0-6.6.1 7.0.0-7.0.1 | Can be mitigated with either a Solr upgrade or a configuration change. | Jira issues: SOLR-11482 and SOLR-11477 | ||||||||||
2017-09-18 | CVE-2017-9803 | Vulnerability in Kerberos delegation token functionality | 6.2.0-6.6.0 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-11184 | ||||||||||
2017-07-07 | CVE-2017-7660 | Vulnerability in secure inter-node communication | 5.3.0-5.5.4 6.0.0-6.5.1 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-10624 | ||||||||||
2017-02-15 | CVE-2017-3163 | ReplicationHandler path traversal attack | 1.4.0-6.4.0 | Can only be mitigated with a Solr upgrade. | Jira issue: SOLR-10031 |
...