QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-9803

Back to search

CVE-2017-9803

Published: Sep 18, 2017

Modified: Sep 17, 2024

PUBLISHED

Description

Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Apache Solr 6.6.1 onwards.

VendorProductVersions

Apache Software Foundation

Apache Solr

affected
6.2.0 to 6.6.0

References

100870
vdb-entry
x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now