Latest Version of Solr 8.8.1 bundles Apache v0.13.0. Thrift jar that has the following vulnerabilities:

Vulnerability Details

CVE-2020-13949

Vulnerability Published: 2021-02-12 15:15 EST
Vulnerability Updated: 2021-02-18 10:43 EST
CVSS Score: 7.5 (overall), 7.5 (base)

Summary: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Solution: N/A

Workaround: N/A

BDSA-2021-0373

Affected Component(s): Apache Thrift
Vulnerability Published: 2021-02-15 10:38 EST
Vulnerability Updated: 2021-02-15 10:38 EST
CVSS Score: 6.5 (overall), 7.5 (base)

Summary: Apache Thrift contains a denial-of-service (DoS) vulnerability. Successfully exploiting this could allow an attacker to crash the application.

Solution: Fixed in 0.14.0.

The latest stable releases are available here.

Workaround: N/A

Apache Thrift jar needs to be updated to 0.14.0 to fix the above vulnerability