[SOLR-16568] Update woodstox-core to 6.4.0 to mitigate CVE-2022-40152 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 9.1
Fix Version/s: main (10.0), 9.1.1
Component/s: None
Labels:
- security

Description

This was brought up on the mailing list here: https://lists.apache.org/thread/psc4r75o933y22jos4xk5rcwhof48sdw

The automatically created CVEs against xstream are misleading and read the thread above to try to find out more. Its not clear which CVEs if any are actually valid.

The only one that looks still valid against woodstox-core is CVE-2022-40152 (https://github.com/advisories/GHSA-3f7h-mf4q-vrm4) and fixed in https://github.com/FasterXML/woodstox/issues/160. It is LOW severity only.

Our container scan detects woodstox 6.2.8

/opt/bitnami/solr/server/solr-webapp/webapp/WEB-INF/lib/woodstox-core-6.2.8.jar

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2023-03-18-15-37-50-431.png
18/Mar/23 10:07
84 kB
Sujeet Hinge

Issue Links

is duplicated by

SOLR-16572 Update FasterXML Woodstox Dependency for CVE-2022-40153

Resolved

is related to

SOLR-16562 Upgrade to Caffeine 3.1.4

Closed

links to

GitHub Pull Request #1209

Activity

People

Assignee:: Kevin Risden

Reporter:: Bill Kidwell

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 01/Dec/22 19:33

Updated:: 19/Mar/23 04:19

Resolved:: 07/Dec/22 19:19

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m