GHSA-vrh8-27q8-fr8f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vrh8-27q8-fr8f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-vrh8-27q8-fr8f/GHSA-vrh8-27q8-fr8f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vrh8-27q8-fr8f
- Aliases
- Published
- 2019-03-14T15:39:56Z
- Modified
- 2024-02-19T05:18:34.480534Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Server-Side Request Forgery (SSRF) in org.apache.solr:solr-core
- Details
-
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:58:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-3164
- https://github.com/advisories/GHSA-vrh8-27q8-fr8f
- https://lists.apache.org/thread.html/43026507844ada1ac658ccf7bc939378c13e492fd6538416ce65df39@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/75dc651478f9d04505b46d44fe3ac739e7aaf3d7bf1257973685f8f7@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ca3105b6934ccd28e843dffe39724f6963ff49825e9b709837203649@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/e0f9c652b57a91fdcc287efcead620af9f4d8e46b88f0b761aa265de@%3Cdev.lucene.apache.org%3E
- https://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190327-0003
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN%3DwO5rYs6ktAX-5%3D-f5JDFwbbTSM2TTjEbGO5jKKA%40mail.gmail.com%3E
- http://www.securityfocus.com/bid/107026
Affected packages
Maven / org.apache.solr:solr-core
Package
- Name
- org.apache.solr:solr-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.solr/solr-core
Affected versions
3.*
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.6.1
3.6.2
4.*
4.0.0-ALPHA
4.0.0-BETA
4.0.0
4.1.0
4.2.0
4.2.1
4.3.0
4.3.1
4.4.0
4.5.0
4.5.1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
5.*
5.0.0
5.1.0
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
6.*
6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.6.3
6.6.4
6.6.5
6.6.6
7.*
7.0.0
7.0.1
7.1.0
7.2.0
7.2.1
7.3.0
7.3.1
7.4.0
7.5.0
7.6.0