UBUNTU-CVE-2026-22022
- Source
- https://ubuntu.com/security/CVE-2026-22022
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-22022.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-22022
- Upstream
- Published
- 2026-01-21T14:16:00Z
- Modified
- 2026-01-30T21:03:28.412090Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.
- References
Affected packages
Ubuntu:20.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-22?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "liblucene3-contrib-java",
"binary_version": "3.6.2+dfsg-22"
},
{
"binary_name": "liblucene3-java",
"binary_version": "3.6.2+dfsg-22"
},
{
"binary_name": "libsolr-java",
"binary_version": "3.6.2+dfsg-22"
},
{
"binary_name": "solr-common",
"binary_version": "3.6.2+dfsg-22"
},
{
"binary_name": "solr-jetty",
"binary_version": "3.6.2+dfsg-22"
},
{
"binary_name": "solr-tomcat",
"binary_version": "3.6.2+dfsg-22"
}
]
}Ubuntu:22.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-24?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:24.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-26?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:25.10
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-26?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:Pro:14.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-2ubuntu0.1~esm4?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
3.*
Ecosystem specific
{
"binaries": [
{
"binary_name": "liblucene3-contrib-java",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
},
{
"binary_name": "liblucene3-java",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
},
{
"binary_name": "libsolr-java",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
},
{
"binary_name": "solr-common",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
},
{
"binary_name": "solr-jetty",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
},
{
"binary_name": "solr-tomcat",
"binary_version": "3.6.2+dfsg-2ubuntu0.1~esm4"
}
]
}Ubuntu:Pro:16.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-8ubuntu0.1+esm1?arch=source&distro=esm-apps/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "liblucene3-contrib-java",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
},
{
"binary_name": "liblucene3-java",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
},
{
"binary_name": "libsolr-java",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
},
{
"binary_name": "solr-common",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
},
{
"binary_name": "solr-jetty",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
},
{
"binary_name": "solr-tomcat",
"binary_version": "3.6.2+dfsg-8ubuntu0.1+esm1"
}
]
}Ubuntu:Pro:18.04:LTS
lucene-solr
Package
- Name
- lucene-solr
- Purl
- pkg:deb/ubuntu/lucene-solr@3.6.2+dfsg-18~18.04.1~esm2?arch=source&distro=esm-apps/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "liblucene3-contrib-java",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
},
{
"binary_name": "liblucene3-java",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
},
{
"binary_name": "libsolr-java",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
},
{
"binary_name": "solr-common",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
},
{
"binary_name": "solr-jetty",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
},
{
"binary_name": "solr-tomcat",
"binary_version": "3.6.2+dfsg-18~18.04.1~esm2"
}
]
}