Apache Solr < 8.11.1 Information Disclosure

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(168495);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/09");

  script_cve_id("CVE-2021-44548");

  script_name(english:"Apache Solr < 8.11.1 Information Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java application that is affected by an information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Solr running on the remote host is prior to 8.11.1. It is, therefore, affected by an information
disclosure vulnerability due to improper input validation in DataImportHandler. The vulnerability allows an attacker to
provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the
network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in the
exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes). In case of misconfigured systems, SMB Relay
Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution. This
issue only affects Windows.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://lucene.apache.org/solr/news.html");
  # https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7be001bc");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Solr version 8.11.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-44548");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/12/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:solr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("solr_detect.nbin", "os_fingerprint.nasl");
  script_require_keys("installed_sw/Apache Solr", "Host/OS");

  exit(0);
}

include('vcf.inc');

var app = 'Apache Solr';

var app_info = vcf::combined_get_app_info(app:app);
vcf::check_granularity(app_info:app_info, sig_segments:3);

# Vulnerability only affects Windows installations
var os = get_kb_item_or_exit('Host/OS');
if('windows' >!< tolower(os))
  audit(AUDIT_OS_NOT, 'Windows');

var constraints = [
  { 'fixed_version' : '8.11.1' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);