---

CVE-2021-27905 - log back

CVE-2021-27905 edited at 13 Apr 2021 08:34:40
References	- https://www.openwall.com/lists/oss-security/2021/04/12/4 + https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E https://issues.apache.org/jira/browse/SOLR-15217 https://github.com/apache/lucene-solr/commit/3132a6fd14bf272e26ca07be12a5b45dc6a22f73

CVE-2021-27905 edited at 12 Apr 2021 22:03:30
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Cross-site request forgery
Description	+ The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a server-side request forgery (SSRF) vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
References	+ https://www.openwall.com/lists/oss-security/2021/04/12/4 + https://issues.apache.org/jira/browse/SOLR-15217 + https://github.com/apache/lucene-solr/commit/3132a6fd14bf272e26ca07be12a5b45dc6a22f73
Notes

CVE-2021-27905 created at 12 Apr 2021 21:57:41