Apache Solr depends on many third-party libraries. Security scanners routinely flag CVEs in those libraries, but a CVE in a dependency does not automatically mean Solr is vulnerable — it depends on whether Solr actually exercises the affected code path in a way that can be exploited.
We publish our assessment of dependency CVEs in a machine-readable VEX (Vulnerability Exploitability eXchange) file. VEX is an open standard that lets vendors state explicitly whether a CVE applies to their product, and why. A number of formats are under active development, including CycloneDX and CSAF. We currently publish in CycloneDX 1.4 JSON format.
If your scanner supports VEX, download the file below and point your scanner at it to automatically suppress known non-applicable findings. If your scanner does not yet support VEX, you can use the table on this page to manually triage flagged CVEs.
We encourage feedback on VEX and tool support — join the discussion at security-discuss@community.apache.org or contact security@apache.org.
Below is a list of CVE vulnerabilities in Apache Solr dependencies and their applicability to Solr. CVEs assessed as exploitable in Solr have their own advisory on the security news page.
| ID | Versions | JARs | State | Title |
|---|---|---|---|---|
| CVE-2024-51504 | 9.4.0–9.8.1 | zookeeper-3.9.0.jar, zookeeper-3.9.1.jar, zookeeper-3.9.2.jar | not affected | Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server |
| CVE-2024-6763 | < 9.8 | jetty-http-10.0.22.jar | not affected | jetty-http |
| CVE-2023-51074, GHSA-pfh2-hfmq-phg5 | all | json-path-2.8.0.jar | not affected | json-path |
| 6.6.2-today | velocity-tools-2.0.jar | not affected | velocity-tools | |
| 7.3.1-today | tika-core.*.jar | not affected | tika-core.* | |
| CVE-2022-42889 | < 9.1 | commons-text-1.9.jar | not affected | commons-text |
| CVE-2022-33980 | < 9.1 | commons-configuration2-2.7.jar | not affected | commons-configuration2 |
| CVE-2022-25168 | < 9.1 | hadoop-common-3.2.2.jar | not affected | hadoop-common |
| CVE-2021-45105, CVE-2021-45046 | 7.4-8.11.1 | log4j-core-2.14.1.jar, log4j-core-2.16.0.jar | not affected | log4j-core |
| CVE-2021-44832 | 7.4-8.11.1 | log4j-core-2.14.1.jar, log4j-core-2.16.0.jar | not affected | log4j-core |
| CVE-2021-33813 | to present | jdom-*.jar | not affected | jdom-* |
| CVE-2020-27223 | 7.3.0-present | jetty-9.4.6 to 9.4.36 | not affected | jetty-9.4.6 to 9.4.36 |
| CVE-2020-27218 | 7.3.0-8.8.0 | jetty-9.4.0 to 9.4.34 | not affected | jetty-9.4.0 to 9.4.34 |
| CVE-2020-13955 | 8.1.0- today | avatica-core-1.13.0.jar, calcite-core-1.18.0.jar | not affected | avatica-core |
| CVE-2019-16869 | 8.2-8.3 | netty-all-4.1.29.Final.jar | not affected | netty-all |
| CVE-2019-10241, CVE-2019-10247 | 7.7.0-8.2 | jetty-9.4.14 | not affected | jetty |
| CVE-2019-10086 | 8.0.0-8.3.0 | commons-beanutils-1.9.3.jar | not affected | commons-beanutils |
| CVE-2018-8088 | 4.x-today | slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar | not affected | slf4j-api |
| CVE-2018-1471 | 5.4.0-7.7.2, 8.0-8.3 | simple-xml-2.7.1.jar | not affected | simple-xml |
| CVE-2018-1335 | 7.3.1-7.5.0 | tika-core.1.17.jar | not affected | tika-core.1.17 |
| CVE-2018-10237 | 5.4.0-today | carrot2-guava-18.0.jar | not affected | carrot2-guava |
| CVE-2018-10237 | 4.6.0-today | guava-*.jar | not affected | guava-* |
| CVE-2018-1000632 | 4.6.0-today | dom4j-1.6.1.jar | not affected | dom4j |
| CVE-2018-1000056 | 4.6.0-7.6.0 | junit-4.10.jar | not affected | junit |
| CVE-2017-15718 | 6.6.1-7.6.0 | hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop) | not affected | hadoop-auth |
| CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, CVE-2018-7489, CVE-2019-12086, CVE-2019-12384, CVE-2018-12814, CVE-2019-14379, CVE-2019-14439, CVE-2020-35490, CVE-2020-35491, CVE-2021-20190, CVE-2019-14540, CVE-2019-16335 | 4.7.0-today | jackson-databind-*.jar | not affected | jackson-databind-* |
| CVE-2017-14952 | 6.0.0-7.5.0 | icu4j-56.1.jar, icu4j-59.1.jar | not affected | icu4j |
| CVE-2017-14868, CVE-2017-14949 | 5.2.0-today | org.restlet-2.3.0.jar | not affected | org.restlet |
| CVE-2016-6809, CVE-2018-1335, CVE-2018-1338, CVE-2018-1339 | 5.5.5, 6.2.0-today | vorbis-java-tika-0.8.jar | not affected | vorbis-java-tika |
| CVE-2015-5237 | 6.5.0-today | protobuf-java-3.1.0.jar | not affected | protobuf-java |
| CVE-2014-7940, CVE-2016-6293, CVE-2016-7415, CVE-2017-14952, CVE-2017-17484, CVE-2017-7867, CVE-2017-7868 | 7.3.1 | lucene-analyzers-icu-7.3.1.jar | not affected | lucene-analyzers-icu |
| CVE-2014-0114 | 4.9.0-7.5.0 | commons-beanutils-1.8.3.jar | not affected | commons-beanutils |
| CVE-2012-2098, CVE-2018-1324, CVE-2018-11771 | 4.6.0-today | commons-compress (only as part of Ant 1.8.2) | not affected | commons-compress (only as part of Ant 1.8.2) |
| CVE-2012-0881 | ~2.9-today | xercesImpl-2.9.1.jar | not affected | xercesImpl |