CVE-2017-7660
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.
Apache Solr utiliza un mecanismo basado en PKI para proteger la comunicación entre nodos cuando la seguridad está habilitada. Es posible crear un nombre de nodo especialmente elaborado que no existe como parte del clúster y apunta hacia un nodo malicioso. Esto puede engañar a los nodos del clúster para creer que el nodo malicioso es un miembro del clúster. Por lo tanto, si los usuarios de Solr han habilitado el mecanismo de autenticación BasicAuth mediante BasicAuthPlugin o si el usuario ha implementado un complemento de autenticación personalizado, que no implementa "HttpClientInterceptorPlugin" o "HttpClientBuilderPlugin", sus servidores son vulnerables a este ataque. Los usuarios que solo utilizan SSL sin autenticación básica o aquellos que utilizan Kerberos no se ven afectados.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-11 CVE Reserved
- 2017-07-07 CVE Published
- 2023-03-07 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/99485 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20181127-0003 | X_refsource_confirm |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.3.0 Search vendor "Apache" for product "Solr" and version "5.3.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.3.1 Search vendor "Apache" for product "Solr" and version "5.3.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.3.2 Search vendor "Apache" for product "Solr" and version "5.3.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.4.0 Search vendor "Apache" for product "Solr" and version "5.4.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.4.1 Search vendor "Apache" for product "Solr" and version "5.4.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.5.0 Search vendor "Apache" for product "Solr" and version "5.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.5.1 Search vendor "Apache" for product "Solr" and version "5.5.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.5.2 Search vendor "Apache" for product "Solr" and version "5.5.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.5.3 Search vendor "Apache" for product "Solr" and version "5.5.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 5.5.4 Search vendor "Apache" for product "Solr" and version "5.5.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.0.0 Search vendor "Apache" for product "Solr" and version "6.0.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.0.1 Search vendor "Apache" for product "Solr" and version "6.0.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.1.0 Search vendor "Apache" for product "Solr" and version "6.1.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.2.0 Search vendor "Apache" for product "Solr" and version "6.2.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.2.1 Search vendor "Apache" for product "Solr" and version "6.2.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.3.0 Search vendor "Apache" for product "Solr" and version "6.3.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.4.0 Search vendor "Apache" for product "Solr" and version "6.4.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.4.1 Search vendor "Apache" for product "Solr" and version "6.4.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.4.2 Search vendor "Apache" for product "Solr" and version "6.4.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.5.0 Search vendor "Apache" for product "Solr" and version "6.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 6.5.1 Search vendor "Apache" for product "Solr" and version "6.5.1" | - |
Affected
| ||||||