oss-sec mailing list archives
Re: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
From: Ishan Chattopadhyaya <ichattopadhyaya () gmail com>
Date: Wed, 24 Apr 2019 16:11:08 +0530
This fix has also been backported to Solr 6.6.6 for users who are stuck with Solr 6.x. (Sorry, I hadn't updated the issue and hence this was missed in the original mail.) On Wed, Apr 24, 2019 at 12:35 PM Noble Paul <noble () apache org> wrote:
CVE-2018-11802: Apache Solr authorization bug disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Solr 7.6 or less Description: jira ticket : https://issues.apache.org/jira/browse/SOLR-12514 In apache Solr the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions that uses the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin) Mitigation: A fix is provided in Solr 7.7 version and upwards. If you use Solr's authorization mechanism, please upgrade to a version newer than Solr 7.7. Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar. --------------------------------------------------------------------- To unsubscribe, e-mail: java-user-unsubscribe () lucene apache org For additional commands, e-mail: java-user-help () lucene apache org
Current thread:
- CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure Noble Paul (Apr 24)
- Re: CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure Ishan Chattopadhyaya (Apr 24)