Lucene search

GoogleOSV:GHSA-VRH8-27Q8-FR8F

HistoryMar 14, 2019 - 3:39 p.m.

Server-Side Request Forgery (SSRF) in org.apache.solr:solr-core

2019-03-1415:39:56

Google

osv.dev

EPSS

0.122

Percentile

95.5%

JSON

Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the “shards” parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.

References

mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN%3DwO5rYs6ktAX-5%3D-f5JDFwbbTSM2TTjEbGO5jKKA%40mail.gmail.com%3E

www.securityfocus.com/bid/107026

github.com/advisories/GHSA-vrh8-27q8-fr8f

lists.apache.org/thread.html/43026507844ada1ac658ccf7bc939378c13e492fd6538416ce65df39@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/75dc651478f9d04505b46d44fe3ac739e7aaf3d7bf1257973685f8f7@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E

lists.apache.org/thread.html/ca3105b6934ccd28e843dffe39724f6963ff49825e9b709837203649@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/e0f9c652b57a91fdcc287efcead620af9f4d8e46b88f0b761aa265de@%3Cdev.lucene.apache.org%3E

lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E

lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2017-3164

security.netapp.com/advisory/ntap-20190327-0003

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

EPSS

0.122

Percentile

95.5%

JSON

Related for OSV:GHSA-VRH8-27Q8-FR8F