CVE-2017-3163 - OpenCVE

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Solr

Configuration 1 [-]

OR	cpe:2.3:a:apache:solr::::::::
	cpe:2.3:a:apache:solr:6.0.0:::::::*
	cpe:2.3:a:apache:solr:6.0.1:::::::*
	cpe:2.3:a:apache:solr:6.1.0:::::::*
	cpe:2.3:a:apache:solr:6.2.0:::::::*
	cpe:2.3:a:apache:solr:6.2.1:::::::*
	cpe:2.3:a:apache:solr:6.3.0:::::::*
	cpe:2.3:a:apache:solr:6.4.0:::::::*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2018:1447
https://access.redhat.com/errata/RHSA-2018:1448
https://access.redhat.com/errata/RHSA-2018:1449
https://access.redhat.com/errata/RHSA-2018:1450
https://access.redhat.com/errata/RHSA-2018:1451
https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3E
https://www.debian.org/security/2018/dsa-4124

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2017-02-15T00:00:00

Updated: 2018-05-16T09:57:01

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3163

JSON object: View

NVD Information

Status : Modified

Published: 2017-08-30T14:29:00.207

Modified: 2023-11-07T02:44:04.200

Link: CVE-2017-3163

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "Apache Solr", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.4.0 to 5.5.3"}, {"status": "affected", "version": "6.0.0 to 6.4.0"}]}], "datePublic": "2017-02-15T00:00:00", "descriptions": [{"lang": "en", "value": "When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-16T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "RHSA-2018:1448", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1448"}, {"name": "RHSA-2018:1449", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1449"}, {"name": "RHSA-2018:1450", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1450"}, {"name": "RHSA-2018:1451", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1451"}, {"name": "[solr-user] 20170215 [SECURITY] CVE-2017-3163 Apache Solr ReplicationHandler path traversal attack", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3E"}, {"name": "RHSA-2018:1447", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1447"}, {"name": "DSA-4124", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4124"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-02-15T00:00:00", "ID": "CVE-2017-3163", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Solr", "version": {"version_data": [{"version_value": "1.4.0 to 5.5.3"}, {"version_value": "6.0.0 to 6.4.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:1448", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1448"}, {"name": "RHSA-2018:1449", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1449"}, {"name": "RHSA-2018:1450", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1450"}, {"name": "RHSA-2018:1451", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1451"}, {"name": "[solr-user] 20170215 [SECURITY] CVE-2017-3163 Apache Solr ReplicationHandler path traversal attack", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488@%3Csolr-user.lucene.apache.org%3E"}, {"name": "RHSA-2018:1447", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1447"}, {"name": "DSA-4124", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4124"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-3163", "datePublished": "2017-02-15T00:00:00", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2018-05-16T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0CB118A-E405-41E5-B25F-C151B14292A7", "versionEndIncluding": "5.5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "29F3170C-C5D6-431F-A2DD-692636CF5DAB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BA339070-A2BD-4559-B400-2BC2EB9923A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "B737CF14-C14A-4D97-B838-47EC4A2C68C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "036F935D-B469-47C6-AF5D-3DFC73070753", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "42A1A17A-32EA-40A2-9A1E-6019B493B5C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "76557E9C-1F16-44D9-ACA1-F4DAEC966F05", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "DE068A02-D47A-4C6C-BFD3-040385599CA5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access."}, {"lang": "es", "value": "Cuando se usa la caracter\u00edstica Index Replication, los nodos Apache Solr pueden tomar archivos index de un nodo master/leader usando una API HTTP que acepta un nombre de archivo. Sin embargo, Solr en versiones anteriores a la 5.5.4 y en versiones 6.x anteriores a la 6.4.1 no valida el nombre de archivo, por lo que fue posible manipular una petici\u00f3n especial que involucre un salto de ruta, dejando expuestos todos los archivos legibles en el proceso de servidor Solr. Los servidores Solr protegidos y restringidos por reglas de firewall y/o autenticaci\u00f3n no estar\u00edan en riesgo ya que solo los clientes y usuarios de confianza obtendr\u00edan acceso HTTP directo."}], "id": "CVE-2017-3163", "lastModified": "2023-11-07T02:44:04.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-30T14:29:00.207", "references": [{"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:1447"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:1448"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:1449"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:1450"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:1451"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3E"}, {"source": "security@apache.org", "url": "https://www.debian.org/security/2018/dsa-4124"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}