Skip to content

VEX statements for CVEs affecting Jetty 10 in Solr 9#200

Open
epugh wants to merge 3 commits into
apache:mainfrom
epugh:cves_in_jetty_10
Open

VEX statements for CVEs affecting Jetty 10 in Solr 9#200
epugh wants to merge 3 commits into
apache:mainfrom
epugh:cves_in_jetty_10

Conversation

@epugh

@epugh epugh commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Three CVEs, CVE-2026-5795, CVE-2026-2332, CVE-2025-11143 against Jetty 10 that impact Solr 9.

CVE-2026-5795 is not an issue for Solr, but the other two https://nvd.nist.gov/vuln/detail/CVE-2026-2332, and CVE-2026-5795 are.

jars:
- jetty-http-10.0.26.jar
analysis:
state: exploitable

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solr says a security issue justifying a CVE is only valid when you can do it agains a authn and authz setup Solr. If that is the case, and this issue is mitigated by having authn/authz enabled, then maybe this isn't exploitable?

From some analysis:

The primary code-level mitigation available without upgrading Jetty is exactly what the VEX says: enable Solr's own authentication/authorization, because SolrDispatchFilter uses Jetty's already-resolved path — it can't be fooled by differential proxy/Jetty URI parsing the way a proxy-only control can.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, dug more in, and I think this can be marked not_affected.

epugh added 2 commits July 2, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant