Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2017-7660

Опубликовано: 07 июл. 2017
Источник: nvd
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:solr:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:solr:6.5.1:*:*:*:*:*:*:*

EPSS

Процентиль: 63%
0.00455
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2017-7660

CVSS3: 7.5
ubuntu
больше 8 лет назад

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

redhat логотип

CVE-2017-7660

CVSS3: 7.4
redhat
больше 8 лет назад

Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.

debian логотип

CVE-2017-7660

CVSS3: 7.5
debian
больше 8 лет назад

Apache Solr uses a PKI based mechanism to secure inter-node communicat ...

github логотип

GHSA-c82r-qg3w-q5mv

CVSS3: 7.5
github
больше 3 лет назад

Apache Solr insecure inter-node communication

EPSS

Процентиль: 63%
0.00455
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-287