org.apache.solr:solr-core@5.4.1 vulnerabilities
-
latest version
9.5.0
-
latest non vulnerable version
-
first published
16 years ago
-
latest version published
2 months ago
-
licenses detected
- [0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.solr:solr-core package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Improper Input Validation in How to fix Improper Input Validation? Upgrade |
[0,8.11.1)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Remote Code Execution (RCE). One can issue a HTTP request parameter How to fix Remote Code Execution (RCE)? Upgrade |
[,7.1.0)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The How to fix Server-Side Request Forgery (SSRF)? Upgrade |
[,8.8.2)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Access Restriction Bypass. When using How to fix Access Restriction Bypass? Upgrade |
[,8.8.2)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Information Exposure. When starting How to fix Information Exposure? Upgrade |
[,8.8.2)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Arbitrary File Access. The Replication handler allows commands backup, restore and deleteBackup that take unvalidated alocation parameter, i.e you could read/write to any location the solr user can access. Launching SMB attacks which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LMhashes). In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution. How to fix Arbitrary File Access? Upgrade |
[,8.6.0)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It is possible for an attacker to inject external entities through DataImportHandler's How to fix XML External Entity (XXE) Injection? Upgrade |
[,8.2.0)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). The How to fix Server-side Request Forgery (SSRF)? Upgrade |
[1.3.0,7.6.0)
|
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene Affected versions of this package are vulnerable to Deserialization of Untrusted Data.
ConfigAPI allows to set a How to fix Deserialization of Untrusted Data? Upgrade |
[5.0.0,7.0.0)
|
org.apache.solr:solr-core is an enterprise search platform written using Apache Lucene. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It can be used as XXE using the How to fix XML External Entity (XXE) Injection? Upgrade |
[,6.6.5)
[7.0.0,7.4.0)
|
Affected versions of the package are vulnerable to Information Exposure. Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected. How to fix Information Exposure? Upgrade |
[5.3.0,5.5.5)
[6.0.0,6.6.0)
|
Affected versions of this package are vulnerable to Directory Traversal attacks. The Index Replication feature supports an HTTP API, but does not validate the |
[1.4.0,5.5.4)
[6.0.0,6.4.1)
|