CVE-2018-11802
MEDIUMApache Solr < 6.6.6 and 7.0.0-7.7.0 - Incorrect Authorization via Collection Proxy Request
Title source: llmDescription
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin).
References (1)
Core 1
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2019/04/24/1
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
35.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-863
Status
published
Products (3)
apache/solr
< 6.6.6
org.apache.solr/solr-core
7.0.0 - 7.7.0Maven
org.apache.solr/solr-parent
7.0.0 - 7.7.0Maven
Published
Apr 01, 2020
Tracked Since
Feb 18, 2026