CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2020-13957

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0090%
EPSS Percentile13.88th
Published2020年10月13日
Last Modified2024年11月21日

Vulnerability Description

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Affected Platforms (CPE)

📦
Apache

Solr

>= 6.6.0 and <= 6.6.6
📦
Apache

Solr

>= 7.0.0 and <= 7.7.3
📦
Apache

Solr

>= 8.0.0 and <= 8.6.2

References & Advisories

🔗 https://lists.apache.org/thread.html/r13a728994c60be5b5a7049282b5c926dac1fc6a9a0b2362f6adfa573%40%3Cissues.lucene.apache.org%3E
🔗 https://lists.apache.org/thread.html/r1c783d3d81ba62f3381a17a4d6c826f7dead3a132ba42349c90df075%40%3Ccommits.lucene.apache.org%3E
🔗 https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E
🔗 https://lists.apache.org/thread.html/r2236fdf99ac3efbfc36c2df96d3a88f822baa6f45e13fec7ff558e34%40%3Cdev.bigtop.apache.org%3E
🔗 https://lists.apache.org/thread.html/r226c1112bb41e7cd427862d875eff9877a20a40242c2542f4dd39e4a%40%3Cissues.lucene.apache.org%3E
🔗 https://lists.apache.org/thread.html/r2a6600fe9afd502c04d26fd112823ec3f3c3ad1b4a289d10567a78a0%40%3Cdev.bigtop.apache.org%3E
🔗 https://lists.apache.org/thread.html/r2f8d33a4de07db9459fb2a98a1cd39747066137636b53f84a13e5628%40%3Cissues.lucene.apache.org%3E
🔗 https://lists.apache.org/thread.html/r3d1e24a73e6bffa1d6534e1f34c8f5cbd9999495e7d933640f4fa0ed%40%3Cissues.lucene.apache.org%3E

相關漏洞威脅

CVE-2013-628810.0

Unspecified vulnerability in the Apache Solr for TYPO3 (solr) extension before 2.8.3 for TYPO3 has unknown impact and remote attac...

CVE-2019-01929.8

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST requ...

CVE-2019-142229.8

An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authentica...

CVE-2019-124099.8

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the...