CVE-2017-9803

CWE-287Improper Authentication7 documents7 sources
Severity
7.5HIGH
EPSS
1.5%
top 18.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache SolrApache Solr
Timeline
PublishedSep 18
Latest updateMay 14

Description

Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.solr:solr-core6.2.06.6.1
NVDapache/solr9 versions+8
CVEListV5apache_software_foundation/apache_solr6.2.0 to 6.6.0

🔴Vulnerability Details

3
GHSA
Apache Solr Kerberos delegation token functionality flaws2022-05-14
OSV
Apache Solr Kerberos delegation token functionality flaws2022-05-14
CVEList
CVE-2017-9803: Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or an2017-09-18

📋Vendor Advisories

2
Red Hat
solr: Kerberos delegation token functionality allows to re-use authentication2017-09-18
Debian
CVE-2017-9803: lucene-solr - Apache Solr's Kerberos plugin can be configured to use delegation tokens, which ...2017

💬Community

1
Bugzilla
CVE-2017-9803 solr: Kerberos delegation token functionality allows to re-use authentication2017-09-20
CVE-2017-9803 (HIGH CVSS 7.5) | Apache Solr's Kerberos plugin can b | cvebase.io