CVE-2020-13957

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-13957
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13957.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-13957
Aliases
Published
2020-10-13T19:15:12Z
Modified
2024-10-12T05:59:31.792493Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

References

Affected packages

Git / github.com/apache/lucene-solr

Affected versions

releases/lucene-solr/6.*

releases/lucene-solr/6.6.0
releases/lucene-solr/6.6.1
releases/lucene-solr/6.6.2
releases/lucene-solr/6.6.3
releases/lucene-solr/6.6.4
releases/lucene-solr/6.6.5
releases/lucene-solr/6.6.6