[
https://issues.apache.org/jira/browse/SOLR-18082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069324#comment-18069324
]
Christos Malliaridis commented on SOLR-18082:
---------------------------------------------
Please note that jersey version was already 3.1.11 in Solr 10, with one
exception to {{org.glassfish.jersey.containers:jersey-container-jetty-http}}
which was using an older version (2.39.1).
> Upgrade jersey version to 2.47 to fix CVE-2025-12383
> ----------------------------------------------------
>
> Key: SOLR-18082
> URL: https://issues.apache.org/jira/browse/SOLR-18082
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrJ
> Reporter: Isha Kunwar
> Assignee: Christos Malliaridis
> Priority: Major
> Labels: dependencies, pull-request-available
> Fix For: 10.1
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> [https://nvd.nist.gov/vuln/detail/CVE-2025-12383]
>
> In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause
> ignoring of critical SSL configurations - such as mutual authentication,
> custom key/trust stores, and other security settings. This issue may result
> in SSLHandshakeException under normal circumstances, but under certain
> conditions, it could lead to unauthorized trust in insecure servers (see PoC)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
