Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.solr:solr-parent(Maven) | 6.6.0 | 8.6.3 | N/A |
| org.apache.solr:solr-solrj(Maven) | 6.6.0 | 8.6.3 | N/A |
| org.apache.solr:solr-core(Maven) | 6.6.0 | 8.6.3 | N/A |
CVSS Metrics
