CVSS: 7.5EPSS: 12%CPEs: 1EXPL: 0CVE-2017-3164
https://notcve.org/view.php?id=CVE-2017-3164
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL. Hay Server-Side Request Forgery (SSRF) en Apache Solr en versiones desde la 1.3 hasta la 7.6 (inclusivas). Como el parámetro "shards" no tiene un mecanismo de introducción en lista blanca correspondiente, un atacante remoto con acceso al servidor podría hacer que Solr realizara una petición HTTP GET hacia cualquier URL alcanzable. • http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN%3DwO5rYs6ktAX-5%3D-f5JDFwbbTSM2TTjEbGO5jKKA%40mail.gmail.com%3E http://www.securityfocus.com/bid/107026 https://lists.apache.org/thread.html/43026507844ada1ac658ccf7bc939378c13e492fd6538416ce65df39%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/75dc651478f9d04505b46d44fe3ac739e7aaf3d7bf1257973685f8f7%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E https:/ • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 94%CPEs: 3EXPL: 2CVE-2019-0192 – solr: remote code execution due to unsafe deserialization
https://notcve.org/view.php?id=CVE-2019-0192
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. En Apache Solr, desde la versión 5.0.0 hasta la 6.0.0 y desde la 6.0.0 hasta la 6.6.5, el API Config permite la configuración del servidor JMX con una petición HTTP POST. Al redirigirlo a un servidor RMI malicioso, un atacante podría aprovecharse de la deserialización insegura de Solr para desencadenar una ejecución remota de código en el lado de Solr.. A flaw was found in the Apache Solr's Config API, where it would permit the configuration of the JMX server via an HTTP POST request. • https://github.com/mpgn/CVE-2019-0192 https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192 http://mail-archives.us.apache.org/mod_mbox/www-announce/201903.mbox/%3CCAECwjAV1buZwg%2BMcV9EAQ19MeAWztPVJYD4zGK8kQdADFYij1w%40mail.gmail.com%3E http://www.securityfocus.com/bid/107318 https://access.redhat.com/errata/RHSA-2019:2413 https://lists.apache.org/thread.html/42c5682f4acd1d03bd963e4f47ae448d7cff66c16b19142773818892%40%3Cdev.lucene.apache.org%3E https://lists.apache.org/thread.html/53e4744b14fb7f1810405f8ff5531ab0953a23dd09ce8071ce87 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2018-1308
https://notcve.org/view.php?id=CVE-2018-1308
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Esta vulnerabilidad en Apache Solr 1.2 a 6.6.2 y 7.0.0 a 7.2.1 está relacionado con una expansión XEE (XML External Entity) en el parámetro `dataConfig=` del DataImportHandler de Solr. Puede emplearse como XEE mediante el uso de protocolos file/ftp/http para leer archivos locales arbitrarios del servicio Solr o de la red interna. • https://issues.apache.org/jira/browse/SOLR-11971 https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.debian.org/debian-lts-announce/2018/04/msg00025.html https://mail-archives.apache.org/mod_mbox/www-announce/201804.mbox/%3C000001d3cf68%245ac69af0%241053d0d0%24%40apache.org%3E https://www.debian.org/security/2018/dsa-4194 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 97%CPEs: 11EXPL: 2CVE-2017-12629 – Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-12629
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr. Ocurre una ejecución remota de código en Apache Solr en versiones anteriores a la 7.1 con Apache Lucene en versiones anteriores a la 7.1 explotando XXE junto con el uso de un comando add-listener de la API de configuración para alcanzar la clase RunExecutableListener. • https://www.exploit-db.com/exploits/43009 http://mail-archives.us.apache.org/mod_mbox/www-announce/201710.mbox/%3CCAOOKt51UO_6Vy%3Dj8W%3Dx1pMbLW9VJfZyFWz7pAnXJC_OAdSZubA%40mail.gmail.com%3E http://openwall.com/lists/oss-security/2017/10/13/1 http://www.securityfocus.com/bid/101261 https://access.redhat.com/errata/RHSA-2017:3123 https://access.redhat.com/errata/RHSA-2017:3124 https://access.redhat.com/errata/RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3451 https:/ • CWE-138: Improper Neutralization of Special Elements CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2017-3163 – solr: Directory traversal via Index Replication HTTP API
https://notcve.org/view.php?id=CVE-2017-3163
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. Cuando se usa la característica Index Replication, los nodos Apache Solr pueden tomar archivos index de un nodo master/leader usando una API HTTP que acepta un nombre de archivo. Sin embargo, Solr en versiones anteriores a la 5.5.4 y en versiones 6.x anteriores a la 6.4.1 no valida el nombre de archivo, por lo que fue posible manipular una petición especial que involucre un salto de ruta, dejando expuestos todos los archivos legibles en el proceso de servidor Solr. • https://access.redhat.com/errata/RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1451 https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3E https://www.debian.org/security/2018/dsa-4124 https://access.redhat.com/security/cve/CVE-2017-3163 https://bugzilla.redhat.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •