CyberSec.Space Logo
CVEブラウザに戻る

CVE-2021-27905

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0460%
EPSS Percentile6.79th
Published2021年4月13日
Last Modified2024年11月21日

Vulnerability Description

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Affected Platforms (CPE)

📦
Apache

Solr

< 8.8.2

References & Advisories

🔗 https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
🔗 https://lists.apache.org/thread.html/r140128dc6bb4f4e0b6a39e962c7ca25a8cbc8e48ed766176c931fccc%40%3Cusers.solr.apache.org%3E
🔗 https://lists.apache.org/thread.html/r3da74965aba2b5f5744b7289ad447306eeb2940c872801819faa9314%40%3Cusers.solr.apache.org%3E
🔗 https://lists.apache.org/thread.html/r6ccec7fc54d82591b23c143f1f6a6e38f6e03e75db70870e4cb14a1a%40%3Ccommits.ofbiz.apache.org%3E
🔗 https://lists.apache.org/thread.html/r720a4a0497fc90bad5feec8aa18b777912ee15c7eeb5f882adbf523e%40%3Ccommits.ofbiz.apache.org%3E
🔗 https://lists.apache.org/thread.html/r78a3a4f1138a1608b0c6d4a2ee7647848c1a20b0d5c652cd9b02c25a%40%3Ccommits.ofbiz.apache.org%3E
🔗 https://lists.apache.org/thread.html/r8f1152a43c36d878bbeb5a92f261e9efaf3af313b033d7acfccea59d%40%3Cnotifications.ofbiz.apache.org%3E
🔗 https://lists.apache.org/thread.html/r95df34bb158375948da82b4dfe9a1b5d528572d586584162f8f5aeef%40%3Cusers.solr.apache.org%3E

関連する脆弱性情報

CVE-2013-628810.0

Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attac...

CVE-2019-01929.8

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST requ...

CVE-2019-142229.8

An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authentica...

CVE-2019-124099.8

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the...