Page 2 of 23 results (0.004 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access. Reportado en SOLR-14515 (privado) y corregido en SOLR-14561 (público), publicado en Solr versión 8.6.0. El manejador de Replicación (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) permite una copia de seguridad, restauración y eliminación de copias de seguridad de los comandos. • https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rbcd9dff009ed19ffcc2b09784595fc1098fc802a5472f81795f893be%40%3Ccommits.lucene.apache.org%3E https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8%40%3Ccommits.submarine.apache.org%3E https://lists.apache.org/thread.html/rf54e7912b7d2b72c63ec54a7afa4adcbf16268dcc63253767dd67d60%40%3Cgeneral.lucene.apache.org%3E • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). En Apache Solr, el clúster puede ser particionado en varias colecciones y solo un subconjunto de nodos realmente aloja una colección determinada. • https://www.openwall.com/lists/oss-security/2019/04/24/1 • CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 97%CPEs: 7EXPL: 6

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/` directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled` by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. • https://www.exploit-db.com/exploits/47572 https://www.exploit-db.com/exploits/48338 http://packetstormsecurity.com/files/157078/Apache-Solr-8.3.0-Velocity-Template-Remote-Code-Execution.html https://issues.apache.org/jira/browse/SOLR-13971 https://lists.apache.org/thread.html/r0b7b9d4113e6ec1ae1d3d0898c645f758511107ea44f0f3a1210c5d5%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/r12ab2cb15a34e49b4fecb5b2bdd7e10f3e8b7bf1f4f47fcde34d3a7c%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/r • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1

Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs. Las versiones de Solr 1.3.0 a 1.4.1, 3.1.0 a 3.6.2 y 4.0.0 a 4.10.4 son vulnerables a un ataque de consumo de recursos XML (también conocido como Lol Bomb) a través de su controlador de actualización. En el caso de los elementos de tipo, el atacante puede crear un patrón que se expandirá cuando el servidor analice el XML que causa los OOM. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E http://www.openwall.com/lists/oss-security/2019/09/10/1 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579%40%3Cdev.lucene.apache.org%3E • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •

CVSS: 9.0EPSS: 93%CPEs: 4EXPL: 3

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true. En Solr de Apache, el DataImportHandler, un módulo opcional pero popular para extraer datos de bases de datos y otras fuentes, presenta una funcionalidad en la que toda la configuración de DIH puede provenir del parámetro "dataConfig" de una petición. • https://github.com/jas502n/CVE-2019-0193 https://github.com/xConsoIe/CVE-2019-0193 https://github.com/jaychouzzk/CVE-2019-0193-exp https://issues.apache.org/jira/browse/SOLR-13669 https://lists.apache.org/thread.html/1addbb49a1fc0947fb32ca663d76d93cfaade35a4848a76d4b4ded9c%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/42cc4d334ba33905b872a0aa00d6a481391951c8b1450f01b077ce74%40%3Cissues.lucene.apache.org%3E https://lists.apache.org/thread.html/55880d48e38ba9e8c41a3b9e41051dbfdef63b86b0cfeb32967edf03%40%3Cissues.lucene.apac • CWE-94: Improper Control of Generation of Code ('Code Injection') •