CVE-2017-9803 in Kerberos Plugininfo

Summary

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Solr 6.6.1 onwards.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Reservation

06/21/2017

Disclosure

09/18/2017

Moderation

VulDB entry created

Entries

CPE

ready

CWE

CWE-287 (Confirmed)

CVSS

6.5

EPSS

0.01546

Activities

Very Low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2017-9803
NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-9803
CVE Details	https://www.cvedetails.com/cve/CVE-2017-9803/

◂ Previous Overview Next ▸

Might our Artificial Intelligence support you?

Check our Alexa App!