Hi all,
Published CVEs are public information, so as a project we try to discuss
them on our "public" mailing lists only. So, no need to loop in '
secur...@solr.apache.org' in the future - that list is reserved for
potential "new" vulnerabilities. See our Security Policy for more details.
[1]
To speak to CVE-2024-6763 in particular: Solr 9.7 is unaffected. We do use
the Jetty jar in question, but we *don't* use the specific utility class
("HttpURI") required for the vulnerability.
Best,
Jason
[1] https://solr.apache.org/security.html#solr-news
On Tue, Feb 18, 2025 at 3:18 PM Altamirano, Emmanuel <
emmanuel.altamir...@transunion.com> wrote:
> Hi community. By the chance do you have any update regarding this reported
> CVE-2024-6763?
>
> Best,
>
> *Emmanuel Altamirano*
>
> *(E-man-u-well aa l t aa – m ih r AA n oh)*
>
> Sr Consultant, Applications Development
>
> emmanuel.altamir...@transunion.com
>
> *P: *312-985-3149
>
> *M:* 312-860-3774
>
> 555 West Adams St | Chicago, IL 60661
>
> transunion.com
>
> Pronouns: He/Him
>
> [image: TULogo-blue-rgb-120px-01]
>
>
>
> This email including, without limitation, the attachments, if any,
> accompanying this email, may contain information which is confidential or
> privileged and exempt from disclosure under applicable law. The information
> is for the use of the intended recipient. If you are not the intended
> recipient, be aware that any disclosure, copying, distribution, review or
> use of the contents of this email, and/or its attachments, is without
> authorization and is prohibited. If you have received this email in error,
> please notify us by reply email immediately and destroy all copies of this
> email and its attachments.
>
>
>
> ------------------------------
> *From:* Akash Bande <akash.bande.w...@gmail.com>
> *Sent:* Thursday, February 13, 2025 7:26 AM
> *To:* users@solr.apache.org <users@solr.apache.org>;
> secur...@solr.apache.org <secur...@solr.apache.org>
> *Cc:* Altamirano, Emmanuel <emmanuel.altamir...@transunion.com>
> *Subject:* Medium vulnerability CVE-2024-6763 found in
> org.eclipse.jetty:jetty-http 10.0.22
>
> This Message is from a New Sender
> This message was sent from a sender with whom you have not previously
> corresponded.
> Report Suspicious
> <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/GX53klZ1TQ0!Y2Oq2O_VnLdrKaNjiGPCY5iAgLasdnz2JqH67BlpjlJqyqgzL5O5qylTdJY4UZQJfACG3HekaTShuKMMYbyVz9I1yuW6JtvUHgsshoIcjx-QSZR9hESEC1veBYs-la1yHeHAKA$>
>
>
> Hello solr security team and users,
>
> Our team found medium level vulnerability in checkmarx report for the
> dependency org.eclipse.jetty:jetty-http 10.0.22 in the solr-9.7.0 package.
>
> Details of reported vulnerability is as follows,
> Id : CVE-2024-6763
>
> Category : CWE-1286 | Improper Validation of Syntactic
> Correctness of Input
>
> Dependency : org.eclipse.jetty:jetty-http 10.0.22
>
> Can you please take a note of it and suggest us remedy if any.
>
>
>
> Thanks and regards,
>
> Akash Bande.
>
