You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by gi...@apache.org on 2023/01/19 12:31:09 UTC
[solr-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 4c7d62b61 Automatic Site Publish by Buildbot
4c7d62b61 is described below
commit 4c7d62b61c92cb48ae2fa0bb708f6989d70dfd07
Author: buildbot <us...@infra.apache.org>
AuthorDate: Thu Jan 19 12:31:05 2023 +0000
Automatic Site Publish by Buildbot
---
output/community.html | 8 +-
output/downloads.html | 2 +-
output/editing-website.html | 2 +-
output/features.html | 4 +-
output/guide/index.html | 2 +-
output/guide/solr-tutorial.html | 2 +-
output/index.html | 2 +-
output/logos-and-assets.html | 2 +-
output/news.html | 2 +-
output/operator/articles/explore-v030-gke.html | 2 +-
output/operator/artifacts.html | 2 +-
output/operator/community.html | 2 +-
output/operator/features.html | 2 +-
output/operator/index.html | 2 +-
output/operator/logos-and-assets.html | 2 +-
output/operator/news.html | 2 +-
output/operator/resources.html | 2 +-
output/resources.html | 4 +-
output/security.html | 389 ++++++++++++-
output/solr.vex.json | 738 +++++++++++++++++++++++++
output/whoweare.html | 2 +-
21 files changed, 1143 insertions(+), 32 deletions(-)
diff --git a/output/community.html b/output/community.html
index 9486d0dbd..5ede5510e 100644
--- a/output/community.html
+++ b/output/community.html
@@ -210,7 +210,7 @@ wealth of information about how to get the most out of the IRC channels.</p>
Patches welcome! This is not the correct place to start when you need support. Problems should be
discussed on the mailing list and/or via IRC before creating an issue.</p>
<h2 id="how-to-contribute">How To Contribute</h2>
-<p>Looking to contribute to Solr? Read the <a href="https://cwiki.apache.org/confluence/display/SOLR/HowToContribute">instructions</a> on
+<p>Looking to contribute to Solr? Read the <a href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md">instructions</a> on
contributing and then submit a patch!</p>
<h2 id="code-of-conduct">Code of Conduct</h2>
<p>For a large and diverse community like ours to be friendly, welcoming and respectful, we recognize the need for some guidelines. The project follows <a href="https://www.apache.org/foundation/policies/conduct">Apache's Code of Conduct statement</a>. Please take some time to read and understand it.</p>
@@ -232,9 +232,7 @@ No GIT client software is required.</p>
</code></pre></div>
<p>Then use GitHub's <a href="https://docs.github.com/en/github/getting-started-with-github/fork-a-repo">fork feature</a>
-to obtain a personal fork from which you can later contribute your changes through a
-<a href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#HowToContribute-WorkingwithGitHub">Pull Request</a>
-or a <a href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#HowToContribute-Generatingapatch">patch in Jira</a>.</p>
+to obtain a personal fork from which you can later contribute your changes based on the <a href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md">how to contribute</a> page.</p>
<p>You may alternatively choose to clone apache's git mirror at <code>https://gitbox.apache.org/repos/asf/solr.git</code>.</p>
<h2 id="powered-by">Powered By</h2>
<p>Solr powers some of the most heavily-trafficked websites and applications in the world. Here are some examples (alphabetical order):</p>
@@ -338,7 +336,7 @@ or a <a href="https://cwiki.apache.org/confluence/display/solr/HowToContribute#H
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/downloads.html b/output/downloads.html
index 9a9370012..2f0b4493a 100644
--- a/output/downloads.html
+++ b/output/downloads.html
@@ -327,7 +327,7 @@ Due to the voluntary nature of Solr, no releases are scheduled in advance.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/editing-website.html b/output/editing-website.html
index 6d56d8082..841e596c6 100644
--- a/output/editing-website.html
+++ b/output/editing-website.html
@@ -223,7 +223,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/features.html b/output/features.html
index 7fd3e013e..8c8ecf954 100644
--- a/output/features.html
+++ b/output/features.html
@@ -687,7 +687,7 @@
</div>
<div class="row">
<div class="centered">
- <a class="btn1" href="https://cwiki.apache.org/confluence/display/solr/HowToContribute">How to contribute</a>
+ <a class="btn1" href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md">How to contribute</a>
<div>
</div>
</ul>
@@ -1081,7 +1081,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/guide/index.html b/output/guide/index.html
index 8f9e566e5..7563e12f1 100644
--- a/output/guide/index.html
+++ b/output/guide/index.html
@@ -219,7 +219,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/guide/solr-tutorial.html b/output/guide/solr-tutorial.html
index 9880f5b90..669cbbc29 100644
--- a/output/guide/solr-tutorial.html
+++ b/output/guide/solr-tutorial.html
@@ -190,7 +190,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/index.html b/output/index.html
index fe48aa289..fc858b608 100644
--- a/output/index.html
+++ b/output/index.html
@@ -419,7 +419,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/logos-and-assets.html b/output/logos-and-assets.html
index 7b18ce5a9..07334718b 100644
--- a/output/logos-and-assets.html
+++ b/output/logos-and-assets.html
@@ -243,7 +243,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/news.html b/output/news.html
index 346e13e13..4e5f0308e 100644
--- a/output/news.html
+++ b/output/news.html
@@ -3925,7 +3925,7 @@ file included with the release for a full list of details.</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/articles/explore-v030-gke.html b/output/operator/articles/explore-v030-gke.html
index b9e21d6e7..ef6b337f3 100644
--- a/output/operator/articles/explore-v030-gke.html
+++ b/output/operator/articles/explore-v030-gke.html
@@ -1009,7 +1009,7 @@ Let’s us know, we’re on slack <a href="https://kubernetes.slack.com/messages
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/artifacts.html b/output/operator/artifacts.html
index de68044da..0e6fa01b6 100644
--- a/output/operator/artifacts.html
+++ b/output/operator/artifacts.html
@@ -340,7 +340,7 @@ Source releases are provided for the operator, however binaries are only provide
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/community.html b/output/operator/community.html
index 589b7cf85..0c3ef2126 100644
--- a/output/operator/community.html
+++ b/output/operator/community.html
@@ -233,7 +233,7 @@ to obtain a personal fork from which you can later contribute your changes throu
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/features.html b/output/operator/features.html
index f3edf4e09..d51b5b920 100644
--- a/output/operator/features.html
+++ b/output/operator/features.html
@@ -391,7 +391,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/index.html b/output/operator/index.html
index b65cac7af..de3d7bf49 100644
--- a/output/operator/index.html
+++ b/output/operator/index.html
@@ -476,7 +476,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/logos-and-assets.html b/output/operator/logos-and-assets.html
index 872927277..7344d991c 100644
--- a/output/operator/logos-and-assets.html
+++ b/output/operator/logos-and-assets.html
@@ -226,7 +226,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/news.html b/output/operator/news.html
index 70209e733..71c02942e 100644
--- a/output/operator/news.html
+++ b/output/operator/news.html
@@ -337,7 +337,7 @@ Make sure to run the new <code>make prepare</code> command before submitting a P
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/operator/resources.html b/output/operator/resources.html
index 570fbacf8..1fbaaddca 100644
--- a/output/operator/resources.html
+++ b/output/operator/resources.html
@@ -231,7 +231,7 @@
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/resources.html b/output/resources.html
index 81f3c0692..dcbc896c5 100644
--- a/output/resources.html
+++ b/output/resources.html
@@ -289,7 +289,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a href="http://www.packtp
<p><a href="http://www.packtpub.com/solr-3-1-enterprise-search-server-cookbook/book">Buy here</a></p>
<hr>
<h2 id="presentations">Presentations</h2>
-<p>If you have a Solr presentation that you would like to see listed here, please submit a <a href="https://cwiki.apache.org/confluence/display/solr/HowToContribute">patch</a> via a JIRA with the appropriate content.</p>
+<p>If you have a Solr presentation that you would like to see listed here, please submit a <a href="https://github.com/apache/solr/blob/main/CONTRIBUTING.md">patch</a> via a JIRA with the appropriate content.</p>
<h3 class="offset" id="slideshare">Slideshare</h3>
<p><a href="http://www.slideshare.net/search/slideshow?&q=solr">Search Slideshare for Solr</a></p>
@@ -381,7 +381,7 @@ Rafał Kuć is proud to introduce a new book on Solr, <a href="http://www.packtp
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/security.html b/output/security.html
index 517fe27b0..3568a6046 100644
--- a/output/security.html
+++ b/output/security.html
@@ -129,21 +129,22 @@
<p>Every CVE that is detected by a software scanner is by definition already public knowledge. That means the Solr PMC and the rest of the world probably already know about it.</p>
<p>To find a path forward in addressing a detected CVE we suggest the following process for fastest results:</p>
<ol>
-<li>Check further down this page to see if the CVE is listed as exploitable in Solr.</li>
-<li>Check the <a href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools">officially published non-exploitable vulnerabilities</a> list to see if the CVE is listed as not exploitable in Solr.</li>
+<li>Check <a href="#recent-cve-reports-for-apache-solr">further down this page</a> to see if the CVE is listed as exploitable in Solr.</li>
+<li>Check the <a href="#cve-reports-for-apache-solr-dependencies">officially published non-exploitable vulnerabilities</a> list to see if the CVE is listed as not exploitable in Solr.</li>
<li>Search through the <a href="https://lists.apache.org/list.html?users@solr.apache.org">Solr users mailing list archive</a> to see if anyone else has brought up this dependency CVE.</li>
<li>If no one has, then please do <a href="https://solr.apache.org/community.html#mailing-lists-chat">subscribe to the users mailing list</a> and then send an email asking about the CVE.</li>
</ol>
<h4 id="dos-and-donts">Dos and Don'ts</h4>
<ul>
-<li>Please DO discuss the possible need for library upgrades on the user list. </li>
+<li>Please DO discuss the possible need for library upgrades on the user list.</li>
<li>Please DO search Jira for the CVE number to see if we are addressing it already.</li>
<li>Please DO create Jira issues and associated pull requests to propose and discuss upgrades of <em>a single specific</em> dependency.</li>
<li>Please DO NOT attach a scan report, or paste output of a scan into Jira (just link the CVE instead)</li>
<li>Please DO NOT email the security email below with a scan report it will be ignored.</li>
+<li>Please DO look into automating some of this with <a href="#vex">VEX</a> and share your experience.</li>
</ul>
<h4 id="use-of-jira">Use of Jira</h4>
-<p>Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored/closed. The large number of folks sending us reports of things that are already known is a serious drag on our (volunteer) time so <strong>please search Jira</strong> before opening a new issue. </p>
+<p>Jira is for discussing specific development modifications. Any Jira that contains only scan report output, or references multiple dependencies at the same time is likely to be ignored/closed. The large number of folks sending us reports of things that are already known is a serious drag on our (volunteer) time so <strong>please search Jira</strong> before opening a new issue.</p>
<h3 id="new-exploits-you-discover-in-solr">New Exploits <span style="color:blue">You</span> Discover in Solr</h3>
<p>The Solr PMC greatly appreciates reports of new security vulnerabilities found in Solr itself or demonstrations of exploiting vulnerabilities via dependencies.
<strong>It is important not to publish a previously unknown exploit</strong>, or exploit demonstration code on public mailing lists.
@@ -154,10 +155,31 @@ The contact email for reporting newly discovered exploits in Solr is <a href="&#
<li><strong>Authentication</strong> - Exploits demonstrated without login waste our time because Solr is not meant to run such that the entire world has access to all of its APIs. Running without forcing users to log in is no more valid than running linux with a widely known default root password, or a database with a root account that has no password.</li>
<li><strong>Authorization</strong> - It is not an exploit unless the authenticated user was configured with a role that should have prohibited the action, or the action should never be allowed for any user regardless of role. Your report should say why you think this action is not acceptable for the role(s) you tested it with.</li>
</ol>
+<h4 id="vex">VEX</h4>
+<p>Since the process of checking whether CVEs in dependencies of Solr affect your
+Solr deployment is tedious and error-prone, we are experimenting with sharing
+information about advisories that are known (not) to affect Solr in a
+machine-readable way.</p>
+<p>File formats to share this information are called 'VEX' formats. A number of
+such formats are under active development, such as based on
+<a href="https://cyclonedx.org/capabilities/vex/">CycloneDX</a> and
+<a href="https://github.com/oasis-tcs/csaf/blob/master/csaf_2.0/prose/csaf-v2-editor-draft.md#45-profile-5-vex">CSAF</a>.</p>
+<p>We are currently providing vulnerability information in a CycloneDX JSON-based
+format <a href="/solr.vex.json">here</a>. We are very curious to hear about your experience,
+and to find out what is still missing to reduce the signal/noise ratio and make
+these tools more effective. We invite you to join the discussion at the
+<a href="mailto:security-discuss@community.apache.org">security-discuss</a>
+<a href="https://www.apache.org/foundation/mailinglists.html">mailinglist</a> or,
+if you prefer to collaborate in private, contact
+<a href="mailto:security@apache.org">security@apache.org</a>. It will likely be interesting
+to know what security scanning/reporting tool you are using, exactly on which
+artifacts, and if/how its vendor appears to support VEX. We'd be happy to work
+with you to see if we can provide this information in other variations or formats.</p>
<h3 id="more-information">More information</h3>
<p>You will find more security related information on our Wiki: <a href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity">https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></p>
-<h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache Solr</h1>
-<p>Below is a list of already announced CVE vulnerabilities. These are also available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
+
+ <h1 id="recent-cve-reports-for-apache-solr">Recent CVE reports for Apache Solr</h1>
+ <p>Below is a list of already announced CVE vulnerabilities. These are also available as an <a href="/feeds/solr/security.atom.xml">ATOM feed</a>:</p>
<table>
<tr>
@@ -658,6 +680,359 @@ dk from Chaitin Tech</p>
<li><a href="https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity">https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity</a></li>
</ul>
<hr/>
+ <h1 id="cve-reports-for-apache-solr-dependencies">CVE reports for Apache Solr dependencies</h1>
+ <p>Below is a list of CVE vulnerabilities in Apache Solr dependencies, and the state of their applicability to Solr.</p>
+ <p>We are currently experimenting with providing this information in a <a href="#vex">machine-readable VEX format</a> and encourage you to participate.</p>
+ <table>
+ <tr>
+ <th>id</th>
+ <th>versions</th>
+ <th>jars</th>
+ <th>state</th>
+ <th>detail</th>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33980">CVE-2022-33980</a> </td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-configuration2-2.7.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-configuration2 for "hadoop-auth" only (for Kerberos). It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</a> </td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ commons-text-1.9.jar </td>
+ <td>not affected</td>
+ <td>Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25168">CVE-2022-25168</a> </td>
+ <td>
+ < 9.1
+ </td>
+ <td>
+ hadoop-common-3.2.2.jar </td>
+ <td>not affected</td>
+ <td>The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-44832">CVE-2021-44832</a> </td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar </td>
+ <td>not affected</td>
+ <td>Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45105">CVE-2021-45105</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</a> </td>
+ <td>
+ 7.4-8.11.1
+ </td>
+ <td>
+ log4j-core-2.14.1.jar, log4j-core-2.16.0.jar </td>
+ <td>not affected</td>
+ <td>The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-13955">CVE-2020-13955</a> </td>
+ <td>
+ 8.1.0- today
+ </td>
+ <td>
+ avatica-core-1.13.0.jar, calcite-core-1.18.0.jar </td>
+ <td>not affected</td>
+ <td>Solr's SQL adapter does not use the vulnerable class "HttpUtils". Calcite only used it to talk to Druid or Splunk.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237">CVE-2018-10237</a> </td>
+ <td>
+ 5.4.0-today
+ </td>
+ <td>
+ carrot2-guava-18.0.jar </td>
+ <td>not affected</td>
+ <td>Only used with the Carrot2 clustering engine.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-0114">CVE-2014-0114</a> </td>
+ <td>
+ 4.9.0-7.5.0
+ </td>
+ <td>
+ commons-beanutils-1.8.3.jar </td>
+ <td>not affected</td>
+ <td>This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10086">CVE-2019-10086</a> </td>
+ <td>
+ 8.0.0-8.3.0
+ </td>
+ <td>
+ commons-beanutils-1.9.3.jar </td>
+ <td>not affected</td>
+ <td>While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-2098">CVE-2012-2098</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1324">CVE-2018-1324</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-11771">CVE-2018-11771</a> </td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ commons-compress (only as part of Ant 1.8.2) </td>
+ <td>not affected</td>
+ <td>Only used in test framework and at build time.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000632">CVE-2018-1000632</a> </td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ dom4j-1.6.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Solr tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10237">CVE-2018-10237</a> </td>
+ <td>
+ 4.6.0-today
+ </td>
+ <td>
+ guava-*.jar </td>
+ <td>not affected</td>
+ <td>Only used in tests.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15718">CVE-2017-15718</a> </td>
+ <td>
+ 6.6.1-7.6.0
+ </td>
+ <td>
+ hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop) </td>
+ <td>not affected</td>
+ <td>Does not impact Solr because Solr uses Hadoop as a client library.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952">CVE-2017-14952</a> </td>
+ <td>
+ 6.0.0-7.5.0
+ </td>
+ <td>
+ icu4j-56.1.jar, icu4j-59.1.jar </td>
+ <td>not affected</td>
+ <td>Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-15095">CVE-2017-15095</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17485">CVE-2017-17485</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7525">CVE-2017-7525</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-5968">CVE-2018-5968</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489">CVE-2018-7489</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086">CVE-2019-12086</a>, <a href="https://nvd.nist.gov/ [...]
+ <td>
+ 4.7.0-today
+ </td>
+ <td>
+ jackson-databind-*.jar </td>
+ <td>not affected</td>
+ <td>These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See <a href="https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062">https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-y [...]
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10241">CVE-2019-10241</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247">CVE-2019-10247</a> </td>
+ <td>
+ 7.7.0-8.2
+ </td>
+ <td>
+ jetty-9.4.14 </td>
+ <td>not affected</td>
+ <td>Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27218">CVE-2020-27218</a> </td>
+ <td>
+ 7.3.0-8.8.0
+ </td>
+ <td>
+ jetty-9.4.0 to 9.4.34 </td>
+ <td>not affected</td>
+ <td>Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2020-27223">CVE-2020-27223</a> </td>
+ <td>
+ 7.3.0-present
+ </td>
+ <td>
+ jetty-9.4.6 to 9.4.36 </td>
+ <td>not affected</td>
+ <td>Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33813">CVE-2021-33813</a> </td>
+ <td>
+ to present
+ </td>
+ <td>
+ jdom-*.jar </td>
+ <td>not affected</td>
+ <td>JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000056">CVE-2018-1000056</a> </td>
+ <td>
+ 4.6.0-7.6.0
+ </td>
+ <td>
+ junit-4.10.jar </td>
+ <td>not affected</td>
+ <td>JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2014-7940">CVE-2014-7940</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6293">CVE-2016-6293</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-7415">CVE-2016-7415</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14952">CVE-2017-14952</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-17484">CVE-2017-17484</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-7867">CVE-2017-7867</a>, <a href="https://nvd.nist.gov/vu [...]
+ <td>
+ 7.3.1
+ </td>
+ <td>
+ lucene-analyzers-icu-7.3.1.jar </td>
+ <td>not affected</td>
+ <td>All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16869">CVE-2019-16869</a> </td>
+ <td>
+ 8.2-8.3
+ </td>
+ <td>
+ netty-all-4.1.29.Final.jar </td>
+ <td>not affected</td>
+ <td>This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14868">CVE-2017-14868</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-14949">CVE-2017-14949</a> </td>
+ <td>
+ 5.2.0-today
+ </td>
+ <td>
+ org.restlet-2.3.0.jar </td>
+ <td>not affected</td>
+ <td>Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2015-5237">CVE-2015-5237</a> </td>
+ <td>
+ 6.5.0-today
+ </td>
+ <td>
+ protobuf-java-3.1.0.jar </td>
+ <td>not affected</td>
+ <td>Dependency for Hadoop and Calcite. ??</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1471">CVE-2018-1471</a> </td>
+ <td>
+ 5.4.0-7.7.2, 8.0-8.3
+ </td>
+ <td>
+ simple-xml-2.7.1.jar </td>
+ <td>not affected</td>
+ <td>Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8088">CVE-2018-8088</a> </td>
+ <td>
+ 4.x-today
+ </td>
+ <td>
+ slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar </td>
+ <td>not affected</td>
+ <td>The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335">CVE-2018-1335</a> </td>
+ <td>
+ 7.3.1-7.5.0
+ </td>
+ <td>
+ tika-core.1.17.jar </td>
+ <td>not affected</td>
+ <td>Solr does not run tika-server, so this is not a problem.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-">CVE-</a> </td>
+ <td>
+ 7.3.1-today
+ </td>
+ <td>
+ tika-core.*.jar </td>
+ <td>not affected</td>
+ <td>All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-">CVE-</a> </td>
+ <td>
+ 6.6.2-today
+ </td>
+ <td>
+ velocity-tools-2.0.jar </td>
+ <td>not affected</td>
+ <td>Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6809">CVE-2016-6809</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1335">CVE-2018-1335</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1338">CVE-2018-1338</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1339">CVE-2018-1339</a> </td>
+ <td>
+ 5.5.5, 6.2.0-today
+ </td>
+ <td>
+ vorbis-java-tika-0.8.jar </td>
+ <td>not affected</td>
+ <td>See <a href="https://github.com/Gagravarr/VorbisJava/issues/30">https://github.com/Gagravarr/VorbisJava/issues/30</a>; reported CVEs are not related to OggVorbis at all.</td>
+ </tr>
+ <tr>
+ <td>
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2012-0881">CVE-2012-0881</a> </td>
+ <td>
+ ~2.9-today
+ </td>
+ <td>
+ xercesImpl-2.9.1.jar </td>
+ <td>not affected</td>
+ <td>Only used in Lucene Benchmarks and Solr tests.</td>
+ </tr>
+ </table>
</div>
</div>
</div>
@@ -731,7 +1106,7 @@ dk from Chaitin Tech</p>
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.
diff --git a/output/solr.vex.json b/output/solr.vex.json
new file mode 100644
index 000000000..d7e3fe61c
--- /dev/null
+++ b/output/solr.vex.json
@@ -0,0 +1,738 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.4",
+ "version": 1,
+ "metadata": {
+ "component": {
+ "name": "solr",
+ "version": "SNAPSHOT",
+ "type": "application",
+ "bom-ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ },
+ "vulnerabilities": [
+ {
+ "id": "CVE-2022-33980",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-configuration2 for \"hadoop-auth\" only (for Kerberos). It is only used for loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-42889",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a \"hadoop-auth\" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-25168",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The vulnerable code won't be used by Solr because Solr only is only using HDFS as a client."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-44832",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's default log configuration doesn't use JDBCAppender and we don't imagine a user would want to use it or other obscure appenders."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45105",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-45046",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The MDC data used by Solr are for the collection, shard, replica, core and node names, and a potential trace id, which are all sanitized. Furthermore, Solr's default log configuration doesn't use double-dollar-sign and we don't imagine a user would want to do that."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-13955",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr's SQL adapter does not use the vulnerable class \"HttpUtils\". Calcite only used it to talk to Druid or Splunk."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used with the Carrot2 clustering engine."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-0114",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0. See SOLR-12617."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10086",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "While commons-beanutils was removed in 7.5, it was added back in 8.0 in error and removed again in 8.3. The vulnerable class was not used in any Solr code path. This jar remains a dependency of both Velocity and hadoop-common, but Solr does not use it in our implementations."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-2098",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1324",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-11771",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in test framework and at build time."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000632",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-10237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15718",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Does not impact Solr because Solr uses Hadoop as a client library."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0"
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-15095",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17485",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7525",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-5968",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-7489",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12086",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-12384",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-12814",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14379",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14439",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35490",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-35491",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-20190",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-14540",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "These CVEs, and most of the known jackson-databind CVEs since 2017, are all related to problematic 'gadgets' that could be exploited during deserialization of untrusted data. The Jackson developers described 4 conditions that must be met in order for a problematic gadget to be exploited. See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062. Solr's use of jackson-databind does not meet 1 of the 4 conditions described [...]
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10241",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-10247",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr upgraded to Jetty 9.4.19 for the 8.2 release. Additionally, the path to exploit these vulnerabilities was fixed in 8.1 and 7.7.2. Earlier versions can manually patch their configurations as described in SOLR-13409."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27218",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable through use of Jetty's GzipHandler, which is only implemented in Embedded Solr Server."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2020-27223",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only exploitable if Solr's webapp directory is deployed as a symlink, which is not Solr's default."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2021-33813",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JDOM is only used in Solr Cell, which should not be used in production which makes the vulnerability unexploitable. It is a dependency of Apache Tika, which has analyzed the issue and determined the vulnerability is limited to two libraries not commonly used in search applications, see TIKA-3488 for details. Since Tika should be used outside of Solr, use a version of Tika which updates the affected libraries if concerned about exposure to this issue."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1000056",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2014-7940",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6293",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-7415",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14952",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-17484",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7867",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-7868",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2019-16869",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "This is not included in Solr but is a dependency of ZooKeeper 3.5.5. The version was upgraded in ZooKeeper 3.5.6, included with Solr 8.3. The specific classes mentioned in the CVE are not used in Solr (nor in ZooKeeper as far as the Solr community can determine)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14868",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2017-14949",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr should not be exposed outside a firewall where bad actors can send HTTP requests. These two CVEs specifically involve classes (SimpleXMLProvider and XmlRepresentation, respectively) that Solr does not use in any code path."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2015-5237",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency for Hadoop and Calcite. ??"
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1471",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769. This .jar was replaced in Solr 8.3 and backported to 7.7.3 (see SOLR-13779)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-8088",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not run tika-server, so this is not a problem."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "All Tika issues that could be Solr vulnerabilities would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems, so Solr does not consider these valid CVEs for Solr."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849)."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2016-6809",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1335",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1338",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2018-1339",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "See https://github.com/Gagravarr/VorbisJava/issues/30; reported CVEs are not related to OggVorbis at all."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2012-0881",
+ "analysis": {
+ "state": "not_affected",
+ "detail": "Only used in Lucene Benchmarks and Solr tests."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ },
+ {
+ "id": "CVE-2022-39135",
+ "analysis": {
+ "state": "exploitable",
+ "response": [
+ "update"
+ ],
+ "detail": "Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr's '/sql' handler (even indirectly via proxies / other apps), then the user could perform an XML External Entity (XXE) attack. This might have been exposed by some deployers of Solr in order for internal analysts to use JDBC based tooling, but would have unlikely been granted to wider audiences."
+ },
+ "affects": [
+ {
+ "ref": "5a7000a5-0de2-516f-8fcd-099b7cf4510b"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/output/whoweare.html b/output/whoweare.html
index 11df0751b..714b37311 100644
--- a/output/whoweare.html
+++ b/output/whoweare.html
@@ -258,7 +258,7 @@ have direct write access to the source repositories. Developers may be invited a
</div>
<div class="row copyright">
<div class="large-centered columns">
- <p>Copyright © 2022 The Apache Software Foundation, Licensed under the
+ <p>Copyright © 2023 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a><br/>
Apache and the Apache feather logo are trademarks of The Apache Software Foundation. Apache Lucene,
Apache Solr and their respective logos are trademarks of the Apache Software Foundation.