CVE-2020-13941

HIGH

Apache Solr < 8.6.0 - Unauthenticated Arbitrary File Read and Write via Replication Handler Location Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13941. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a detailed writeup and references for CVE-2020-13941, which involves abusing UNC paths in Windows environments in Apache Solr to capture NTLM hashes or perform SMB relay attacks. It also mentions potential post-authentication RCE via malicious Solr config files.

Description

Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.

Exploits (1)

nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2020-13941

This repository provides a detailed writeup and references for CVE-2020-13941, which involves abusing UNC paths in Windows environments in Apache Solr to capture NTLM hashes or perform SMB relay attacks. It also mentions potential post-authentication RCE via malicious Solr config files.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache Solr
No auth needed
Prerequisites: Access to a vulnerable Apache Solr instance · Network access to an attacker-controlled SMB server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0381
EPSS Percentile 88.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
apache/solr < 8.6.0
org.apache.solr/solr-parent 0 - 8.6.0Maven
Published Aug 17, 2020
Tracked Since Feb 18, 2026