either.
All in all, this appears to be a false positive for both versions of Solr
(9.2.1 and 9.3). Happy to receive a note if I am wrong and there is indeed an
issue.
Thanks a lot!
Stefan
From: Colvin Cowie
Date: Monday, 21. August 2023 at 14:45
To: users@solr.apache.org
Subject: Re: HIGH CV
he problematic class "FileBackedOutputStream". So, maybe this
> is not a problem at all?
>
> Stefan
>
> From: Colvin Cowie
> Date: Monday, 21. August 2023 at 13:19
> To: users@solr.apache.org
> Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0
> [Sie erhalten nicht
r release 3.3.5 and could not find any
mention of the problematic class "FileBackedOutputStream". So, maybe this is
not a problem at all?
Stefan
From: Colvin Cowie
Date: Monday, 21. August 2023 at 13:19
To: users@solr.apache.org
Subject: Re: HIGH CVE-2023-2976 in Solr 9.3.0
[Sie erha
Hello. Solr 9.3.0 itself shipped with guava-32.0.1-jre. Where exactly are
you seeing the old version?
On Mon, 21 Aug 2023 at 11:59, Pieper, Stefan
wrote:
> Hi there,
>
>
>
> a trivy image scan on solr:9.3.0 reveals CVE-2023-2976, rated HIGH, for
> com.google.guava:guava: 30.1.1-jre. I fail to fi
Hi there,
a trivy image scan on solr:9.3.0 reveals CVE-2023-2976, rated HIGH, for
com.google.guava:guava: 30.1.1-jre. I fail to find any information on relevance
of this to Solr or Hadoop which introduces the dependency.
Can you provide information on the severity of this CVE in context of Solr
