org.apache.solr:solr-core@6.5.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.solr:solr-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Exposure of Sensitive Information to an Unauthorized Actor

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to the use of a zkHost parameter that allows users to extract data from other Solr Clouds. When the original SolrCloud is configured to use ZooKeeper credentials and ACLs, these credentials are sent to any zkHost specified by the user. An attacker could exploit this by setting up a mock ZooKeeper server that accepts ZooKeeper requests with credentials and ACLs to extract sensitive information. Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.

How to fix Exposure of Sensitive Information to an Unauthorized Actor?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.4.1 or higher.

[6.0.0,8.11.3) [9.0.0,9.4.1)
  • H
Unrestricted Upload of File with Dangerous Type

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type due to the ConfigSets API accepting Java jar and class files. When backing up Solr Collections, these configSet files are saved to disk using the LocalFileSystemRepository, which is the default for backups. If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files become available for use with any ConfigSet, regardless of trust level.

Note: This vulnerability is most severe when Authorization is not enabled, which is strongly recommended against. With Authorization enabled it is limited to extending the Backup permissions with the ability to add libraries.

How to fix Unrestricted Upload of File with Dangerous Type?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.4.1 or higher.

[6.0.0,8.11.3) [9.0.0,9.4.1)
  • M
Insufficiently Protected Credentials

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to system property redaction logic inconsistencies. An attacker can access sensitive information, such as credentials for basic authentication or AWS secret keys, by exploiting the /admin/info/properties endpoint. This endpoint was intended to hide system properties containing "password" in their name, but failed to conceal other sensitive properties, including "basicauth" and "aws.secretKey", thus making them accessible via the Solr Admin UI. This is only exploitable if the Solr Cloud has Authorization enabled and the attacker has the "config-read" permission.

How to fix Insufficiently Protected Credentials?

Upgrade org.apache.solr:solr-core to version 8.11.3, 9.3.0 or higher.

[6.0.0,8.11.3) [9.0.0,9.3.0)
  • M
Improper Input Validation

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Improper Input Validation in DataImportHandler, which allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes). In case of misconfigured systems, SMB relay attacks can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution.

How to fix Improper Input Validation?

Upgrade org.apache.solr:solr-core to version 8.11.1 or higher.

[0,8.11.1)
  • M
Remote Code Execution (RCE)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Remote Code Execution (RCE). One can issue a HTTP request parameter stream.body which Solr will interpret as body content on the request, i.e. act as a POST request. This is useful for development and testing but can pose a security risk in production since users/clients with permission to GET on various endpoints can also post by using stream.body. The classic example is &stream.body=<delete><query>:</query></delete>. Furthermore, this feature cannot be turned off by configuration as it is not controlled by enableRemoteStreaming.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.solr:solr-core to version 7.1.0 or higher.

[,7.1.0)
  • H
Server-Side Request Forgery (SSRF)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The ReplicationHandler (normally registered at /replication under a Solr core) has a masterUrl (also leaderUrl alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. These parameters are not checked against a similar configuration it uses for the shards parameter.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)
  • M
Access Restriction Bypass

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Access Restriction Bypass. When using ConfigurableInternodeAuthHadoopPlugin for authentication, Solr forwards/proxies distributed requests using server credentials instead of original client credentials. This results in incorrect authorization resolution on the receiving hosts.

How to fix Access Restriction Bypass?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)
  • L
Information Exposure

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Information Exposure. When starting Solr, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.

How to fix Information Exposure?

Upgrade org.apache.solr:solr-core to version 8.8.2 or higher.

[,8.8.2)
  • M
Arbitrary File Access

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Arbitrary File Access. The Replication handler allows commands backup, restore and deleteBackup that take unvalidated alocation parameter, i.e you could read/write to any location the solr user can access. Launching SMB attacks which may result in the exfiltration of sensitive data such as OS user hashes (NTLM/LMhashes). In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution.

How to fix Arbitrary File Access?

Upgrade org.apache.solr:solr-core to version 8.6.0 or higher.

[,8.6.0)
  • M
Authentication Bypass

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Authentication Bypass. In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests.

This affects all Solr that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).

How to fix Authentication Bypass?

Upgrade org.apache.solr:solr-core to version 6.6.6, 7.7.0 or higher.

[6.0.0,6.6.6) [7.0.0,7.7.0)
  • H
XML External Entity (XXE) Injection

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It is possible for an attacker to inject external entities through DataImportHandler's dataConfig parameter which is used for setting the whole DIH configuration when using debug mode of the DIH admin screen.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-core to version 8.2.0 or higher.

[,8.2.0)
  • M
Server-side Request Forgery (SSRF)

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF). The shards parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.solr:solr-core to version 7.6.0 or higher.

[1.3.0,7.6.0)
  • C
Deserialization of Untrusted Data

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. ConfigAPI allows to set a jmx.serviceUrl that will create a new JMXConnectorServerFactory and trigger a call with 'bind' operation to a target RMI/LDAP server. A malicious RMI server could respond with arbitrary object that will be deserialized on the Solr side using java's ObjectInputStream, which is considered unsafe. This type of vulnerabilities can be exploited with ysoserial tool. Depending on the target classpath, an attacker can use one of known "gadget chains" to trigger Remote Code Execution on the Solr side.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.solr:solr-core to version 7.0.0 or higher.

[5.0.0,7.0.0)
  • M
XML External Entity (XXE) Injection

org.apache.solr:solr-core is an enterprise search platform written using Apache Lucene.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. It can be used as XXE using the file/ftp/http protocols in order to read arbitrary local files from the server or the internal network. The manipulated files can be uploaded as config sets using solr's API, allowing to exploit that vulnerability.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-core to versions 6.6.5, 7.4 or higher.

[,6.6.5) [7.0.0,7.4.0)
  • M
XML External Entity (XXE) Injection

org.apache.solr:solr-core is a text search engine library written in Java.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the solrconfig.xml,schema.xml and managed-schema config files.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.solr:solr-core to versions 6.6.4, 7.3.1 or higher.

[6.0.0,6.6.4) [7.0.0,7.3.1)
  • C
XML External Entity (XXE) Injection

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

[5.5.0,5.5.5) [6.0.0,6.6.2) [7.0.0,7.1.0)
  • H
Privilege Escalation

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene.

Affected versions of the package are vulnerable to Privilege Escalation. Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Solr 6.6.1 onwards.

How to fix Privilege Escalation?

Upgrade org.apache.solr:solr-core to version 6.6.1 or higher.

[6.2.0,6.6.1)
  • H
Information Exposure

org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene.

Affected versions of the package are vulnerable to Information Exposure.

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

How to fix Information Exposure?

Upgrade org.apache.solr:solr-core to version 6.6.0 or higher.

[5.3.0,5.5.5) [6.0.0,6.6.0)