GHSA-387v-84cv-9qmc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-387v-84cv-9qmc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-387v-84cv-9qmc/GHSA-387v-84cv-9qmc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-387v-84cv-9qmc
- Aliases
- Published
- 2018-10-18T16:40:43Z
- Modified
- 2023-11-08T03:59:20.650184Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Improper Limitation of a Pathname ('Path Traversal') in org.apache.solr:solr-core
- Details
-
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T20:54:26Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-3163
- https://access.redhat.com/errata/RHSA-2018:1447
- https://access.redhat.com/errata/RHSA-2018:1448
- https://access.redhat.com/errata/RHSA-2018:1449
- https://access.redhat.com/errata/RHSA-2018:1450
- https://access.redhat.com/errata/RHSA-2018:1451
- https://github.com/advisories/GHSA-387v-84cv-9qmc
- https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E
- https://www.debian.org/security/2018/dsa-4124
Affected packages
Maven / org.apache.solr:solr-core
Package
- Name
- org.apache.solr:solr-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.solr/solr-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.5.4
Affected versions
1.*
1.3.0
1.4.0
1.4.1
3.*
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.6.2
4.*
4.0.0-ALPHA
4.0.0-BETA
4.0.0
4.1.0
4.2.0
4.2.1
4.3.0
4.3.1
4.4.0
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
5.*
5.0.0
5.1.0
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.5.3
Maven / org.apache.solr:solr-core
Package
- Name
- org.apache.solr:solr-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.solr/solr-core