CVE-2018-11802

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-11802
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11802.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-11802
Aliases
Downstream
Published
2020-04-01T22:15:15.147Z
Modified
2026-02-13T01:27:52.887987Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).

References

Affected packages

Git / github.com/apache/lucene-solr

Affected ranges

Type
GIT
Repo
https://github.com/apache/lucene-solr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
68fa249034ba8b273955f20097700dc2fbb7a800
Introduced
3ba304b29825a94249c5145b3f5061e87b87d8f8
Fixed
8c831daf4eb41153c25ddb152501ab5bae3ea3d5

Database specific

vanir_signatures 
[
    {
        "id": "CVE-2018-11802-4fe96428",
        "signature_version": "v1",
        "digest": {
            "function_hash": "308739340421956481246291162240390713997",
            "length": 1730.0
        },
        "deprecated": false,
        "source": "https://github.com/apache/lucene-solr/commit/8c831daf4eb41153c25ddb152501ab5bae3ea3d5",
        "signature_type": "Function",
        "target": {
            "file": "lucene/core/src/java/org/apache/lucene/geo/EdgeTree.java",
            "function": "relateTriangle"
        }
    },
    {
        "id": "CVE-2018-11802-70fb7911",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "258734105170027984494162467317084867504",
                "266422825929808091316347104501935196365",
                "290166705146631466776590849449822047422",
                "161702909529908879226857824834551265036",
                "160587357829923884222932439984308525317"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/apache/lucene-solr/commit/8c831daf4eb41153c25ddb152501ab5bae3ea3d5",
        "signature_type": "Line",
        "target": {
            "file": "lucene/core/src/java/org/apache/lucene/geo/EdgeTree.java"
        }
    },
    {
        "id": "CVE-2018-11802-eaa4f940",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "118162482691833253510239430860148940983",
                "259377208589146651262603503556645635274"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/apache/lucene-solr/commit/8c831daf4eb41153c25ddb152501ab5bae3ea3d5",
        "signature_type": "Line",
        "target": {
            "file": "lucene/sandbox/src/test/org/apache/lucene/document/TestLatLonShape.java"
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11802.json"