Solr Security Vulnerabilities and Issues — Solr CVE List

Lucene search

ApacheSolr

8 matches found

CVE•added 2021/04/01 3:15 p.m.•388 views

CVE-2021-28163

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that dir...

4CVSS5.1AI score0.00152EPSS

In wild

CVE•added 2021/02/26 10:15 p.m.•340 views

CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those qual...

5.3CVSS5.2AI score0.28074EPSS

CVE•added 2021/06/16 12:15 p.m.•309 views

CVE-2021-33813

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

7.5CVSS7AI score0.0006EPSS

CVE•added 2021/04/13 7:15 a.m.•290 views

CVE-2021-27905

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability...

9.8CVSS9.1AI score0.94135EPSS

In wildWeb

CVE•added 2021/04/13 7:15 a.m.•145 views

CVE-2021-29262

When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be re...

7.5CVSS7.4AI score0.26231EPSS

CVE•added 2021/04/13 7:15 a.m.•144 views

CVE-2021-29943

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.

9.1CVSS9.1AI score0.058EPSS

CVE•added 2021/01/26 6:16 p.m.•133 views

CVE-2020-9492

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

8.8CVSS8.4AI score0.00085EPSS

CVE•added 2021/12/23 9:15 a.m.•106 views

CVE-2021-44548

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attack...

9.8CVSS9.6AI score0.05762EPSS