Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2017-3163

Published: 30/08/2017 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Solr

Vulnerability Summary

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr prior to 5.5.4 and 6.x prior to 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache solr 6.2.1

apache solr

apache solr 6.0.0

apache solr 6.0.1

apache solr 6.1.0

apache solr 6.4.0

apache solr 6.2.0

apache solr 6.3.0

Vendor Advisories

Debian CVElist Bug Report Logs: lucene-solr: CVE-2017-3163
Debian Bug report logs - #867712 lucene-solr: CVE-2017-3163 Package: src:lucene-solr; Maintainer for src:lucene-solr is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Jul 2017 20:51:01 UTC Severity: important Tags: security, ...
Debian Security Advisories: DSA-4124-1 lucene-solr -- security update
Two vulnerabilities have been found in Solr, a search server based on Lucene, which could result in the execution of arbitrary code or path traversal For the oldstable distribution (jessie), these problems have been fixed in version 362+dfsg-5+deb8u1 For the stable distribution (stretch), these problems have been fixed in version 362+dfsg-10+ ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Red Hat: Important: eap6-jboss-ec2-eap security update
Synopsis Important: eap6-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for jboss-ec2-eap is now available for Red Hat JBoss EnterpriseApplication Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform6420, fixes several bugs, and adds various enhancements are now available from the Red Hat Cu ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: CVE-2017-3163
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name However, Solr before 554 and 6x before 641 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr serve ...

References

CWE-22https://www.debian.org/security/2018/dsa-4124https://access.redhat.com/errata/RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1447https://lists.apache.org/thread.html/a6a33a186f293f9f9aecf3bd39c76252bfc49a79de4321dd2a53b488%40%3Csolr-user.lucene.apache.org%3Ehttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867712https://www.debian.org/security/./dsa-4124
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook