-
Notifications
You must be signed in to change notification settings - Fork 26
/
vex-input.json
470 lines (470 loc) · 13.5 KB
/
vex-input.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
[
{
"ids": [
"CVE-2022-33980"
],
"versions": "< 9.1",
"jars": [
"commons-configuration2-2.7.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only (for Kerberos). It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)."
}
},
{
"ids": [
"CVE-2022-42889"
],
"versions": "< 9.1",
"jars": [
"commons-text-1.9.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)."
}
},
{
"ids": [
"CVE-2022-25168"
],
"versions": "< 9.1",
"jars": [
"hadoop-common-3.2.2.jar"
],
"analysis": {
"state": "not_affected",
"detail": "The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client."
}
},
{
"ids": [
"CVE-2021-44832"
],
"versions": "7.4-8.11.1",
"jars": [
"log4j-core-2.14.1.jar",
"log4j-core-2.16.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders."
}
},
{
"ids": [
"CVE-2021-45105",
"CVE-2021-45046"
],
"versions": "7.4-8.11.1",
"jars": [
"log4j-core-2.14.1.jar",
"log4j-core-2.16.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that."
}
},
{
"ids": [
"CVE-2020-13955"
],
"versions": "8.1.0- today",
"jars": [
"avatica-core-1.13.0.jar",
"calcite-core-1.18.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr's SQL adapter does not use the vulnerable class \"HttpUtils\". Calcite only used it to talk to Druid or Splunk."
}
},
{
"ids": [
"CVE-2018-10237"
],
"versions": "5.4.0-today",
"jars": [
"carrot2-guava-18.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Only used with the Carrot2 clustering engine."
}
},
{
"ids": [
"CVE-2014-0114"
],
"versions": "4.9.0-7.5.0",
"jars": [
"commons-beanutils-1.8.3.jar"
],
"analysis": {
"state": "not_affected",
"detail": "This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617."
}
},
{
"ids": [
"CVE-2019-10086"
],
"versions": "8.0.0-8.3.0",
"jars": [
"commons-beanutils-1.9.3.jar"
],
"analysis": {
"state": "not_affected",
"detail": "While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations."
}
},
{
"ids": [
"CVE-2012-2098",
"CVE-2018-1324",
"CVE-2018-11771"
],
"versions": "4.6.0-today",
"jars": [
"commons-compress (only as part of Ant 1.8.2)"
],
"analysis": {
"state": "not_affected",
"detail": "Only used in test framework and at build time."
}
},
{
"ids": [
"CVE-2018-1000632"
],
"versions": "4.6.0-today",
"jars": [
"dom4j-1.6.1.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Only used in Solr tests."
}
},
{
"ids": [
"CVE-2018-10237"
],
"versions": "4.6.0-today",
"jars": [
"guava-*.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Only used in tests."
}
},
{
"ids": [
"CVE-2017-15718"
],
"versions": "6.6.1-7.6.0",
"jars": [
"hadoop-auth-2.7.4.jar",
"hadoop-hdfs-2.7.4.jar (all Hadoop)"
],
"analysis": {
"state": "not_affected",
"detail": "Does not impact Solr because Solr uses Hadoop as a client library."
}
},
{
"ids": [
"CVE-2017-14952"
],
"versions": "6.0.0-7.5.0",
"jars": [
"icu4j-56.1.jar",
"icu4j-59.1.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0"
}
},
{
"ids": [
"CVE-2017-15095",
"CVE-2017-17485",
"CVE-2017-7525",
"CVE-2018-5968",
"CVE-2018-7489",
"CVE-2019-12086",
"CVE-2019-12384",
"CVE-2018-12814",
"CVE-2019-14379",
"CVE-2019-14439",
"CVE-2020-35490",
"CVE-2020-35491",
"CVE-2021-20190",
"CVE-2019-14540",
"CVE-2019-16335"
],
"versions": "4.7.0-today",
"jars": [
"jackson-databind-*.jar"
],
"analysis": {
"state": "not_affected",
"detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described which makes these CVEs unexploitable. The specific condition that Solr does not meet is the 3rd one: 'Enable polymorphic type handling' Solr does not include any polymorphic type handling, and Solr does not configure jackson-databind de/serialization to expect or include class names in serialized JSON. Two CVEs, 2019-14540 & 2019-16335, are related to HikariConfig and HikariDataSource classes, neither of which are used in Solr's code base."
}
},
{
"ids": [
"CVE-2019-10241",
"CVE-2019-10247"
],
"versions": "7.7.0-8.2",
"jars": [
"jetty-9.4.14"
],
"analysis": {
"state": "not_affected",
"detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409."
}
},
{
"ids": [
"CVE-2020-27218"
],
"versions": "7.3.0-8.8.0",
"jars": [
"jetty-9.4.0 to 9.4.34"
],
"analysis": {
"state": "not_affected",
"detail": "Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server."
}
},
{
"ids": [
"CVE-2020-27223"
],
"versions": "7.3.0-present",
"jars": [
"jetty-9.4.6 to 9.4.36"
],
"analysis": {
"state": "not_affected",
"detail": "Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default."
}
},
{
"ids": [
"CVE-2021-33813"
],
"versions": "to present",
"jars": [
"jdom-*.jar"
],
"analysis": {
"state": "not_affected",
"detail": "JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue."
}
},
{
"ids": [
"CVE-2018-1000056"
],
"versions": "4.6.0-7.6.0",
"jars": [
"junit-4.10.jar"
],
"analysis": {
"state": "not_affected",
"detail": "JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr."
}
},
{
"ids": [
"CVE-2014-7940",
"CVE-2016-6293",
"CVE-2016-7415",
"CVE-2017-14952",
"CVE-2017-17484",
"CVE-2017-7867",
"CVE-2017-7868"
],
"versions": "7.3.1",
"jars": [
"lucene-analyzers-icu-7.3.1.jar"
],
"analysis": {
"state": "not_affected",
"detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
}
},
{
"ids": [
"CVE-2019-16869"
],
"versions": "8.2-8.3",
"jars": [
"netty-all-4.1.29.Final.jar"
],
"analysis": {
"state": "not_affected",
"detail": "This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine)."
}
},
{
"ids": [
"CVE-2017-14868",
"CVE-2017-14949"
],
"versions": "5.2.0-today",
"jars": [
"org.restlet-2.3.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path."
}
},
{
"ids": [
"CVE-2015-5237"
],
"versions": "6.5.0-today",
"jars": [
"protobuf-java-3.1.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Dependency for Hadoop and Calcite. ??"
}
},
{
"ids": [
"CVE-2018-1471"
],
"versions": "5.4.0-7.7.2, 8.0-8.3",
"jars": [
"simple-xml-2.7.1.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779)."
}
},
{
"ids": [
"CVE-2018-8088"
],
"versions": "4.x-today",
"jars": [
"slf4j-api-1.7.24.jar",
"jcl-over-slf4j-1.7.24.jar",
"jul-to-slf4j-1.7.24.jar"
],
"analysis": {
"state": "not_affected",
"detail": "The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr."
}
},
{
"ids": [
"CVE-2018-1335"
],
"versions": "7.3.1-7.5.0",
"jars": [
"tika-core.1.17.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr does not run tika-server, so this is not a problem."
}
},
{
"ids": [
"CVE-"
],
"versions": "7.3.1-today",
"jars": [
"tika-core.*.jar"
],
"analysis": {
"state": "not_affected",
"detail": "All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr."
}
},
{
"ids": [
"CVE-"
],
"versions": "6.6.2-today",
"jars": [
"velocity-tools-2.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849)."
}
},
{
"ids": [
"CVE-2016-6809",
"CVE-2018-1335",
"CVE-2018-1338",
"CVE-2018-1339"
],
"versions": "5.5.5, 6.2.0-today",
"jars": [
"vorbis-java-tika-0.8.jar"
],
"analysis": {
"state": "not_affected",
"detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all."
}
},
{
"ids": [
"CVE-2012-0881"
],
"versions": "~2.9-today",
"jars": [
"xercesImpl-2.9.1.jar"
],
"analysis": {
"state": "not_affected",
"detail": "Only used in Lucene Benchmarks and Solr tests."
}
},
{
"ids": [
"CVE-2022-39135"
],
"versions": "6.5-8.11.2, 9.0",
"jars": [
"calcite-1.31.0.jar"
],
"analysis": {
"state": "exploitable",
"response": [
"update"
],
"detail": "Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr's '/sql' handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences."
}
},
{
"ids": [
"CVE-2023-51074",
"GHSA-pfh2-hfmq-phg5"
],
"versions": "all",
"jars": [
"json-path-2.8.0.jar"
],
"analysis": {
"state": "not_affected",
"detail": "The only places we use json-path is for querying (via Calcite) and for transforming/indexing custom JSON. Since the advisory describes a problem that is limited to the current thread, and users that are allowed to query/transform/index are already trusted to cause load to some extent, this advisory does not appear to have impact on the way json-path is used in Solr."
}
}
]