CVE-2020-13957

CRITICAL

Apache Solr < 6.6.6 - Incorrect Authorization

Title source: rule

Description

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Exploits (1)

nomisec WORKING POC 1 stars
by s-index · poc
https://github.com/s-index/CVE-2020-13957

References (22)

... and 2 more

Scores

CVSS v3 9.8
EPSS 0.8482
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-863
Status published
Products (4)
apache/solr 6.6.0 - 6.6.6
org.apache.solr/solr-core 6.6.0 - 8.6.3Maven
org.apache.solr/solr-parent 6.6.0 - 8.6.3Maven
org.apache.solr/solr-solrj 6.6.0 - 8.6.3Maven
Published Oct 13, 2020
Tracked Since Feb 18, 2026