CVE-2021-44548
published 2021-12-23CVE-2021-44548: An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.09%
91.3th percentile
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | solr | < 8.11.1 | 8.11.1 |
| apache_software_foundation | apache_solr | >= unspecified < 8.11.1 | 8.11.1 |
| debian | lucene-solr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound SMB traffic (TCP/UDP port 445 or 139) originating from the Apache Solr host process, which may indicate exploitation via a malicious Windows UNC path supplied to DataImportHandler ↗
- →Alert on DataImportHandler requests containing UNC path patterns (e.g., \\<host>\<share>) in input parameters, as these are the attack vector for triggering unintended SMB connections ↗
- →Watch for NTLM/LM credential hash capture attempts on the network following SMB connections from Solr hosts, as exploitation may result in OS user hash exfiltration ↗
- →Detect SMB Relay Attack patterns on the network originating from or targeting the Solr host, which may follow successful UNC path injection ↗
- ·This vulnerability exclusively affects Apache Solr running on Windows; Linux/Unix deployments are not impacted ↗
- ·All Apache Solr versions prior to 8.11.1 are vulnerable; upgrade to 8.11.1 or later to remediate ↗
- ·SMB Relay Attack impact is conditional on misconfigured systems in the network environment ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Solr Improper Input Validation and Path Traversal
osv·2022-01-06
CVE-2021-44548 [CRITICAL] Apache Solr Improper Input Validation and Path Traversal
Apache Solr Improper Input Validation and Path Traversal
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
GHSA
Apache Solr Improper Input Validation and Path Traversal
ghsa·2022-01-06
CVE-2021-44548 [CRITICAL] CWE-20 Apache Solr Improper Input Validation and Path Traversal
Apache Solr Improper Input Validation and Path Traversal
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Debian
CVE-2021-44548: lucene-solr - An Improper Input Validation vulnerability in DataImportHandler of Apache Solr a...
vendor_debian·2021·CVSS 9.8
CVE-2021-44548 [CRITICAL] CVE-2021-44548: lucene-solr - An Improper Input Validation vulnerability in DataImportHandler of Apache Solr a...
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://security.netapp.com/advisory/ntap-20220114-0005/https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandlerhttps://security.netapp.com/advisory/ntap-20220114-0005/https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler
2021-12-23
Published