Bug 1308619 (CVE-2015-8795, CVE-2015-8796, CVE-2015-8797)

Summary: CVE-2015-8795 solr: multiple XSS vulnerabilities
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: java-sig-commits, puntogil
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: solr 5.3.1, solr 5.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1308620    
Bug Blocks:    

Description Andrej Nemec 2016-02-15 15:53:32 UTC 
CVE 2015-8795:

Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in
Apache Solr before 5.1 allow remote attackers to inject arbitrary web
script or HTML via crafted fields that are mishandled during the
rendering of the (1) Analysis page, related to
webapp/web/js/scripts/analysis.js or (2) Schema-Browser page, related
to webapp/web/js/scripts/schema-browser.js.

https://issues.apache.org/jira/browse/SOLR-7346

CVE 2015-8796:

Cross-site scripting (XSS) vulnerability in
webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr
before 5.3 allows remote attackers to inject arbitrary web script or
HTML via a crafted schema-browse URL.

https://issues.apache.org/jira/browse/SOLR-7920

CVE 2015-8797:

Cross-site scripting (XSS) vulnerability in
webapp/web/js/scripts/plugins.js in the stats page in the Admin UI in
Apache Solr before 5.3.1 allows remote attackers to inject arbitrary
web script or HTML via the entry parameter to a plugins/cache URI.

https://issues.apache.org/jira/browse/SOLR-7949
Comment 1 Andrej Nemec 2016-02-15 15:54:04 UTC 
Created solr tracking bugs for this issue:

Affects: fedora-all [bug 1308620]
Comment 2 gil cattaneo 2016-02-15 18:03:45 UTC 
The problem does not exist, because the affected components are not used, due to the inability to use them
Comment 3 gil cattaneo 2016-06-02 14:56:06 UTC 
solr was retired. depend on hadoop that was retired
Comment 4 Product Security DevOps Team 2019-06-08 02:48:22 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.