GHSA-v6xp-ccvx-w52m – ibexa/solr

Package

Manager: composer
Name: ibexa/solr
Vulnerable Version: >=4.5.0 <4.5.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Json response for search reveals Solr credentials ### Impact An error in Ibexa's Solr search engine results in potential exposure of Solr credentials. This is a critical vulnerability and all supported versions of the engine are affected. Those not using the Solr search engine are not affected. ### Patches The issue is fixed in all supported versions of ibexa/solr, see "Patched versions". An advisory is also published for ezsystems/ezplatform-solr-search-engine, please see that repository. Commit: https://github.com/ibexa/solr/commit/2f8b711874bee1ebe31fb8a6362e0c8e52c53012 ### Workarounds None. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-005-vulnerabilities-in-solr-search-and-file-downloads

Metadata

Created: 2023-11-03T19:48:16Z
Modified: 2023-11-03T19:48:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-v6xp-ccvx-w52m/GHSA-v6xp-ccvx-w52m.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F038
Auto approve: 1