CVE-2021-27905 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Cross-site request forgery
Description	The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a server-side request forgery (SSRF) vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1808	solr	8.8.1-1	8.8.2-1	Medium	Fixed

References
https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E https://issues.apache.org/jira/browse/SOLR-15217 https://github.com/apache/lucene-solr/commit/3132a6fd14bf272e26ca07be12a5b45dc6a22f73

References

https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
https://issues.apache.org/jira/browse/SOLR-15217
https://github.com/apache/lucene-solr/commit/3132a6fd14bf272e26ca07be12a5b45dc6a22f73