CVE-2021-27905 log

Source
Severity Medium
Remote Yes
Type Cross-site request forgery
Description
The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a server-side request forgery (SSRF) vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
Group Package Affected Fixed Severity Status Ticket
AVG-1808 solr 8.8.1-1 8.8.2-1 Medium Fixed
References
https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
https://issues.apache.org/jira/browse/SOLR-15217
https://github.com/apache/lucene-solr/commit/3132a6fd14bf272e26ca07be12a5b45dc6a22f73