In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
References
Link | Resource |
---|---|
https://www.openwall.com/lists/oss-security/2019/04/24/1 | Mailing List Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2020-04-01T21:11:38
Updated: 2020-04-01T21:11:38
Reserved: 2018-06-05T00:00:00
Link: CVE-2018-11802
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-04-01T22:15:15.147
Modified: 2020-04-03T19:48:21.807
Link: CVE-2018-11802
JSON object: View
Redhat Information
No data.
CWE