CVE-2021-29943

CWE-863 — Incorrect Authorization7 documents6 sources

Severity

9.1CRITICAL

EPSS

7.7%

top 8.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Solr Apache Solr

Timeline

PublishedApr 13

Latest updateMay 10

Description

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/solr< 8.8.2

▶Mavenorg.apache.solr:solr-parent< 8.8.2

▶CVEListV5apache_software_foundation/apache_solrApache Solr — 8.8.2

🔴Vulnerability Details

OSV

Incorrect Authorization in Apache Solr↗2021-05-10

▶

GHSA

Incorrect Authorization in Apache Solr↗2021-05-10

▶

CVEList

Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections↗2021-04-13

▶

OSV

CVE-2021-29943: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8↗2021-04-13

▶

📋Vendor Advisories

Red Hat

solr: unprivileged users may be able to perform unauthorized read/write to collections↗2021-04-12

▶

Debian

CVE-2021-29943: lucene-solr - When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr...↗2021

▶