CVE-2020-13957 – org.apache.solr:solr-solrj

Package

Manager: maven
Name: org.apache.solr:solr-solrj
Vulnerable Version: >=6.6.0 <8.6.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.84903 pctl0.993

Details

Incorrect Authorization in Apache Solr Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. This issue is patched in 8.6.3.

Metadata

Created: 2022-02-10T00:31:27Z
Modified: 2025-03-17T21:39:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3c7p-vv5r-cmr5/GHSA-3c7p-vv5r-cmr5.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-3c7p-vv5r-cmr5
Finding: F006
Auto approve: 1