CVE-2021-29262

CWE-522 — Insufficiently Protected Credentials CWE-2797 documents6 sources

Severity

7.5HIGH

EPSS

26.2%

top 3.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Solr Apache Solr

Timeline

PublishedApr 13

Latest updateMay 10

Description

When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/solr< 8.8.2

▶Mavenorg.apache.solr:solr-core< 8.8.2

▶CVEListV5apache_software_foundation/apache_solrApache Solr — 8.8.2

🔴Vulnerability Details

GHSA

Improper permission handling in Apache Solr↗2021-05-10

▶

OSV

Improper permission handling in Apache Solr↗2021-05-10

▶

OSV

CVE-2021-29262: When starting Apache Solr versions prior to 8↗2021-04-13

▶

CVEList

Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings↗2021-04-13

▶

📋Vendor Advisories

Red Hat

solr: misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings↗2021-04-12

▶

Debian

CVE-2021-29262: lucene-solr - When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACL...↗2021

▶