⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2021-27905

CWE-918Server-Side Request Forgery (SSRF)9 documents8 sources
Severity
9.8CRITICAL
EPSS
93.9%
top 0.12%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache Software Foundation Apache SolrApache Solr
Timeline
PublishedApr 13
Latest updateApr 29

Description

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr version

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDapache/solr< 8.8.2
CVEListV5apache_software_foundation/apache_solrApache Solr8.8.2
Debianlucene-solr< 3.6.2+dfsg-23+3

🔴Vulnerability Details

4
OSV
Server-Side Request Forgery in Apache Solr2021-05-10
GHSA
Server-Side Request Forgery in Apache Solr2021-05-10
OSV
CVE-2021-27905: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter t2021-04-13
CVEList
SSRF vulnerability with the Replication handler2021-04-13

💥Exploits & PoCs

1
Nuclei
Apache Solr <=8.8.1 - Server-Side Request Forgery

📋Vendor Advisories

2
Red Hat
solr: SSRF vulnerability with the Replication handler2021-04-12
Debian
CVE-2021-27905: lucene-solr - The ReplicationHandler (normally registered at "/replication" under a Solr core)...2021

💬Community

1
HackerOne
SSRF due to CVE-2021-27905 in www.████████2022-04-29
CVE-2021-27905 (CRITICAL CVSS 9.8) | The ReplicationHandler (normally re | cvebase.io