...
Solr Versions | Jar or Path | Related CVEs | Date Added | Status & Notes |
---|---|---|---|---|
8.1.0- today | avatica-core-1.13.0.jar and calcite-core-1.18.0.jar | 2020-13955 | 20 Nov 2020 | Calcite is only used in the /sql handler and is not exposed directly to the user, so it is not possible to make connections in a way that could cause exposure to this CVE. |
5.4.0-today |
| 2018-10237 | 31 Dec 2018 | Only used with the Carrot2 clustering engine. |
4.9.0-7.5.0 |
| 2014-0114 | 6 Jun 2018 | This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617. |
8.0.0-8.3.0 | commons-beanutils-1.9.3.jar | 2019-10086 | 21 Nov 2019 | While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations. |
4.6.0-today |
| 2012-2098, 2018-1324, 2018-11771 | 31 Dec 2018 | Only used in test framework and at build time. |
4.6.0-today |
| 3 Nov 2018 | Used only in DataImportHandler tests and example implementation, which should not be used in production. | |
4.6.0-today |
| 2018-1000632 | 31 Dec 2018 | Only used in Solr tests. |
4.6.0-today |
| 2018-10237, etc. | 31 Dec 2018 | Only used in tests. |
6.6.1-7.6.0 |
| 6 Jun 2018 | Does not impact Solr because Solr uses Hadoop as a client library. | |
6.0.0-7.5.0 |
| 2017-14952 | 6 Jun 2018 | Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0 |
4.7.0-today |
| 2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489, 2019-12086, 2019-12384, 2018-12814, 2019-14379, 2019-14439, 2021-20190 2019-14540, 2019-16335 | 6 Jun 2018 | These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic “gadgets” that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Two CVEs, 14540 & 16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base. |
7.7.0-8.2 | jetty-9.4.14 | 2019-10241, 2019-10247 | 18 Oct 2019 | Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409. |
7.3.0-8.8.0 | jetty-9.4.0 to 9.4.34 | 2020-27218 | 18 Feb 2021 | Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server. |
7.3.0-present | jetty-9.4.6 to 9.4.36 | 2020-27223 | 1 Jun 2021 | Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default. |
4.6.0-7.6.0 |
| 2018-1000056 | 31 Dec 2018 | JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr. |
7.3.1 |
| 2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868 | 6 Jun 2018 | All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses. |
8.2-8.3 | netty-all-4.1.29.Final.jar | 2019-16869 | 21 Nov 2019 | This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine). |
5.2.0-today |
| 2017-14868, 2017-14949 | 31 Dec 2018 | Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path. |
6.5.0-today |
| 3 Nov 2018 | Dependency for Hadoop and Calcite. ?? | |
5.4.0-7.7.2, 8.0-8.3 |
| 2018-1471 | 3 Jan 2019 | Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769). This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779). |
4.x-today |
| 2018-8088 | 6 Feb 2019 | The reported CVE impacts |
7.3.1-7.5.0 |
| 2018-1335 | 6 Jun 2018 | Solr does not run tika-server, so this is not a problem. |
7.3.1-7.5.0today |
| 2018-1338, 2018-1339various | 6 Jun 2018 | These issues All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4so Solr does not consider these valid CVEs for Solr. |
6.6.2-today |
| 3 Nov 2018 | Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849). | |
5.5.5, 6.2.0-today |
| 2016-6809, 2018-1335, 2018-1338, 2018-1339 | 6 Jun 2018 | See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all. |
~2.9-today |
| 6 Jun 2018 | Only used in Lucene Benchmarks and Solr tests. |
...