Apache Solr up to 7.6 Node Request authorization

entryeditHistoryDiffjsonxmlCTI

A vulnerability classified as critical has been found in Apache Solr up to 7.6. This affects an unknown part of the component Node Handler. Upgrading to version 7.7 eliminates this vulnerability.

Field04/02/2020 12:55 PM04/02/2020 01:00 PM
vendorApacheApache
nameSolrSolr
version<=7.6<=7.6
componentNode HandlerNode Handler
input_typeRequestRequest
discoverydate15560640001556064000
risk22
cvss2_vuldb_basescore6.56.5
cvss2_vuldb_tempscore5.75.7
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auSS
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss3_meta_basescore5.35.3
cvss3_meta_tempscore5.15.1
cvss3_vuldb_basescore6.36.3
cvss3_vuldb_tempscore6.06.0
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
date1585699200 (04/01/2020)1585699200 (04/01/2020)
price_0day$5k-$25k$5k-$25k
nameUpgradeUpgrade
upgrade_version7.77.7
cveCVE-2018-11802CVE-2018-11802
cvss2_vuldb_eNDND
cvss2_vuldb_rlOFOF
cvss2_vuldb_rcNDND
cvss3_vuldb_eXX
cvss3_vuldb_rlOO
cvss3_vuldb_rcXX
0day_days343343
cvss3_nvd_basescore4.34.3
cwe0863 (privilege escalation)
cvss2_nvd_avN
cvss2_nvd_acL
cvss2_nvd_auS
cvss2_nvd_ciP
cvss2_nvd_iiN
cvss2_nvd_aiN
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prL
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cL
cvss3_nvd_iN
cvss3_nvd_aN
cve_assigned1528156800
cve_nvd_summaryIn Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!