CVE-2017-9803
Last modified
CVE-2017-9803 is a vulnerability of currently unknown severity. Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. EPSS estimates a 2.20% chance of exploitation in the next 30 days.
Description
Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Apache Solr 6.6.1 onwards.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Solr | 6.2.0 |
| Apache | Solr | 6.2.1 |
| Apache | Solr | 6.3.0 |
| Apache | Solr | 6.4.0 |
| Apache | Solr | 6.4.1 |
| Apache | Solr | 6.4.2 |
| Apache | Solr | 6.5.0 |
| Apache | Solr | 6.5.1 |
| Apache | Solr | 6.6.0 |
References
- http://www.securityfocus.com/bid/100870Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/100870Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-9803?
How severe is CVE-2017-9803?
How do I fix CVE-2017-9803?
Are you affected by CVE-2017-9803?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST