HoustonPutman
commented
1 year ago Please feel free to open a PR for an upgrade to Golang v1.20, it only needs to be updated in a few places. (go.mod, Dockerfile, and the github actions)!
Closed sujeeth62 closed 1 year ago
HoustonPutman
commented
1 year ago Please feel free to open a PR for an upgrade to Golang v1.20, it only needs to be updated in a few places. (go.mod, Dockerfile, and the github actions)!
sujeeth62
commented
1 year ago
Following are the CVE reported on Solr v0.7.0:
1.CVE-2023-29400: Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
CVE-2023-24540: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24539: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
Solr-Operator images needs to be updated to 1.19.9,1.20.4 inorder to fix above version.