CVE-2021-44548 - OpenCVE

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Solr
Microsoft	Windows

Configuration 1 [-]

AND

cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://security.netapp.com/advisory/ntap-20220114-0005/	Third Party Advisory
https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2021-12-23T08:55:09

Updated: 2022-01-14T06:06:11

Reserved: 2021-12-04T00:00:00

Link: CVE-2021-44548

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-23T09:15:06.693

Modified: 2022-08-09T13:28:40.967

Link: CVE-2021-44548

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "Apache Solr", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "8.11.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue"}], "descriptions": [{"lang": "en", "value": "An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-40", "description": "CWE-40: Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-14T06:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220114-0005/"}], "source": {"defect": ["SOLR-15826"], "discovery": "UNKNOWN"}, "title": "Apache Solr information disclosure vulnerability through DataImportHandler", "workarounds": [{"lang": "en", "value": "Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr's DataImport handler."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-44548", "STATE": "PUBLIC", "TITLE": "Apache Solr information disclosure vulnerability through DataImportHandler"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Solr", "version": {"version_data": [{"platform": "Windows", "version_affected": "<", "version_value": "8.11.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-40: Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)"}]}, {"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler", "refsource": "MISC", "url": "https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"}, {"name": "https://security.netapp.com/advisory/ntap-20220114-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220114-0005/"}]}, "source": {"defect": ["SOLR-15826"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr's DataImport handler."}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-44548", "datePublished": "2021-12-23T08:55:09", "dateReserved": "2021-12-04T00:00:00", "dateUpdated": "2022-01-14T06:06:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*", "matchCriteriaId": "ABDB705B-5A94-4FF9-B292-0977F7CE5255", "versionEndExcluding": "8.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows."}, {"lang": "es", "value": "Una vulnerabilidad de Comprobaci\u00f3n de Entrada Inapropiada en DataImportHandler de Apache Solr permite a un atacante proporcionar una ruta UNC de Windows que resulta en una llamada de red SMB que es hecha desde el host Solr a otro host en la red. Si el atacante presenta un acceso m\u00e1s amplio a la red, esto puede conllevar a ataques SMB, que pueden resultar en: * La exfiltraci\u00f3n de datos confidenciales como los hashes de usuario del Sistema Operativo (hashes NTLM/LM), * En caso de sistemas configurados inapropiadamente, ataques de retransmisi\u00f3n SMB que pueden conllevar a una suplantaci\u00f3n de usuarios en recursos compartidos SMB o, en el peor de los casos, una ejecuci\u00f3n de c\u00f3digo remota. Este problema afecta a todas las versiones de Apache Solr anteriores a 8.11.1. Este problema s\u00f3lo afecta a Windows"}], "id": "CVE-2021-44548", "lastModified": "2022-08-09T13:28:40.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-23T09:15:06.693", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220114-0005/"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://solr.apache.org/security.html#cve-2021-44548-apache-solr-information-disclosure-vulnerability-through-dataimporthandler"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-40"}], "source": "security@apache.org", "type": "Secondary"}]}