---

CVE-2021-29262 - log back

CVE-2021-29262 edited at 13 Apr 2021 08:35:21

References

- https://www.openwall.com/lists/oss-security/2021/04/12/3 + https://lists.apache.org/thread.html/r536da4c4e4e406f7843461cc754a3d0a3fe575aa576e2b71a9cd57d0%40%3Cannounce.apache.org%3E https://issues.apache.org/jira/browse/SOLR-15249 https://github.com/apache/lucene-solr/commit/90671d8072bd09d4acaee0c390a53984b7474ebe https://github.com/apache/lucene-solr/commit/d97d1a07024edabb8dcd9ccf40f9ba31209c36ab

CVE-2021-29262 edited at 12 Apr 2021 22:05:33
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Information disclosure
Description	+ When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
References	+ https://www.openwall.com/lists/oss-security/2021/04/12/3 + https://issues.apache.org/jira/browse/SOLR-15249 + https://github.com/apache/lucene-solr/commit/90671d8072bd09d4acaee0c390a53984b7474ebe + https://github.com/apache/lucene-solr/commit/d97d1a07024edabb8dcd9ccf40f9ba31209c36ab
Notes

CVE-2021-29262 created at 12 Apr 2021 21:57:41