CVE-2017-3163

Impact:
Moderate
Public Date:
2017-02-15
CWE:
CWE-22
Bugzilla:
1454783: CVE-2017-3163 solr: Directory traversal via Index Replication HTTP API

The MITRE CVE dictionary describes this issue as:

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

Find out more about CVE-2017-3163 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2018:1449 2018-05-14
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:1447 2018-05-14
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2018:1450 2018-05-14
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2018:1448 2018-05-14
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2018:1451 2018-05-14

Affected Packages State

Platform Package State
Red Hat JBoss Portal Platform 6 solr-core Will not fix
Red Hat JBoss Fuse Service Works 6 solr-core Will not fix
Red Hat JBoss Fuse 6 camel Not affected
Red Hat JBoss Data Virtualization 6 solr-core Not affected
Red Hat JBoss Data Grid 6 solr-core Will not fix
Last Modified

CVE description copyright © 2017, The MITRE Corporation