Vulnerability in Apache Software Foundation Solr
CVE-2017-3164
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET…
EPSS: 0.595 (98.3th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Solr — versions Apache Solr 1.3.0 to 1.4.1, 3.1.0 to 3.6.2, 4.0.0 to 4.10.4, 5.0.0 to 5.5.5, 6.0.0 to 6.6.5, 7.0.0 to 7.6.0
Public proof-of-concept exploits
References
- 107026 (vdb-entry, x_refsource_BID)
- [www-announce] 20190212 [SECURITY] CVE-2017-3164 SSRF issue in Apache Solr (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190325 [jira] [Commented] (SOLR-12770) [CVE-2017-3164] Make it possible to configure a shards whitelist for master/slave (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190327 [jira] [Commented] (SOLR-12770) [CVE-2017-3164] Make it possible to configure a shards whitelist for master/slave (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190405 [jira] [Updated] (SOLR-12770) [CVE-2017-3164] Make it possible to configure a shards whitelist for master/slave (mailing-list, x_refsource_MLIST)
- [lucene-dev] 20190405 [jira] [Commented] (SOLR-12770) [CVE-2017-3164] Make it possible to configure a shards whitelist for master/slave (mailing-list, x_refsource_MLIST)
- [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html (mailing-list, x_refsource_MLIST)
- [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html (mailing-list, x_refsource_MLIST)
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (x_refsource_MISC)
- www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2017-3164?
- CVE-2017-3164 is a vulnerability in Apache Software Foundation Solr. Published 2019-03-08.
- Is CVE-2017-3164 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.