Information Exposure Affecting org.apache.solr:solr-core package, versions [5.3.0,5.5.5)[6.0.0,6.6.0)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Information Exposure vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGAPACHESOLR-31461
- published31 Aug 2017
- disclosed6 Jul 2017
- creditNoble Paul
Introduced: 6 Jul 2017
CVE-2017-7660 (opens in a new tab)How to fix?
Upgrade org.apache.solr:solr-core to version 6.6.0 or higher.
Overview
org.apache.solr:solr-core is an open source enterprise search platform built on Apache Lucene.
Affected versions of the package are vulnerable to Information Exposure.
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.