lucene-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noble Paul <>
Subject CVE-2018-11802: Apache Solr authorization bug vulnerability disclosure
Date Wed, 24 Apr 2019 07:04:55 GMT
CVE-2018-11802: Apache Solr authorization bug disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Solr 7.6 or less

jira  ticket :
In apache Solr the cluster can be partitioned into multiple
collections and only a subset of nodes actually host any given
collection. However, if a node receives a request for a collection it
does not host, it proxies the request to a relevant node and serves
the request. Solr bypasses all authorization settings for such
requests. This affects all Solr versions that uses the default
authorization mechanism of Solr (RuleBasedAuthorizationPlugin)

A fix is provided in Solr 7.7 version and upwards. If you use Solr's
authorization mechanism, please upgrade to a version newer than Solr

Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message