Remote Code Execution (RCE) Affecting org.apache.solr:solr-core Open this link in a new tab package, versions [,7.1.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
21 May 2021
21 May 2021
Introduced: 21 May 2021CWE-94 Open this link in a new tab
How to fix?
org.apache.solr:solr-core to version 7.1.0 or higher.
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene
Affected versions of this package are vulnerable to Remote Code Execution (RCE). One can issue a HTTP request parameter
stream.body which Solr will interpret as body content on the request, i.e. act as a POST request. This is useful for development and testing but can pose a security risk in production since users/clients with permission to GET on various endpoints can also post by using
stream.body. The classic example is
&stream.body=<delete><query>:</query></delete>. Furthermore, this feature cannot be turned off by configuration as it is not controlled by