|FileCloud Versions||Component||Related CVEs||Date Added||Status and Notes|
|<21.3.7||Solr - Apache Commons Text||CVE-2022-42889||20 Oct 2022||Solr uses commons-text directly (StringEscapeUtils.escapeEcmaScript) in LoadAdminUiServlet that is not vulnerable. Solr also has a "hadoop-auth" module that uses Apache Hadoop which uses commons-text through commons-configuration2. For Solr, the concern is limited to loading Hadoop configuration files that would only ever be provided by trusted administrators, not externally (untrusted).|
|<22.214.171.12445||Solr||CVE-2022-39135||20 Nov 2022||Apache Calcite has a vulnerability, CVE-2022-39135, that is exploitable in Apache Solr in SolrCloud mode. If an untrusted user can supply SQL queries to Solr’s “/sql” handler (even indirectly via proxies/other apps), then the user could perform an XML External Entity (XXE) attack.|
Mitigation : If, like most Solr installations, yours does not use SQL functionality, you can follow the standard Solr security advice of using a firewall. If your Solr installation does use SQL functionality, refer to https://solr.apache.org/security.html#apache-solr-is-vulnerable-to-cve-2022-39135-via-sql-handler to disable it.
NOTE: FileCloud does not make Solr publicly available by default. FileCloud does not use SolrCloud, and SolrCloud is not publicly available by default.