Skip to content

Security: apache/solr

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Apache Solr follows the Apache Software Foundation security process. Report suspected vulnerabilities privately to the ASF Security Team at security@apache.org (the Solr PMC is reachable via private@solr.apache.org). Do not open public issues or pull requests for security reports. See https://www.apache.org/security/ and https://solr.apache.org/security.html.

Threat Model

Before reporting — and before triaging a tool/fuzzer/AI finding — read THREAT_MODEL.md. Key points:

  • Solr is a search server meant to run in a trusted environment with authentication + authorization enabled. Never expose an unauthenticated Solr to an untrusted network — the admin/config/package APIs are powerful by design and must be authz-restricted (THREAT_MODEL.md sections 3, 5a, 9).
  • SSRF via shards/streaming-expression remote fetch is bounded by operator network controls, not by Solr (section 9/10).
  • Code-execution-adjacent features (Velocity/scripting, remote streaming) are off by default; reports requiring them enabled are out of model (section 5a).

Findings outside the model (sections 3/9/11a) are closed citing the relevant section.

There aren't any published security advisories