GHSA-7crc-r3wg-cfgf – ezsystems/ezplatform-solr-search-engine

Package

Manager: composer
Name: ezsystems/ezplatform-solr-search-engine
Vulnerable Version: >=3.3.0 <3.3.15 || >=2.0.0 <2.0.2 || >=1.7.0 <1.7.12

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Json response for search reveals Solr credentials ### Impact An error in Ibexa's Solr search engine results in potential exposure of Solr credentials. This is a critical vulnerability and all supported versions of the engine are affected. Those not using the Solr search engine are not affected. ### Patches The issue is fixed in all supported versions of ezsystems/ezplatform-solr-search-engine, see "Patched versions". An advisory is also published for ibexa/solr, please see that repository. Commit: https://github.com/ezsystems/ezplatform-solr-search-engine/commit/1005e02cc32ff15a705857fa56171528a83b9c3e ### Workarounds None. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads

Metadata

Created: 2023-11-03T19:50:18Z
Modified: 2023-11-03T19:50:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-7crc-r3wg-cfgf/GHSA-7crc-r3wg-cfgf.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F038
Auto approve: 1