QwikSec

Security Database

CVE

CWE

Training

CVE-2020-13957

Published: Oct 13, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Vendor	Product	Versions
n/a	Apache Solr	affected `Apache Solr 6.6.0 to 6.6.6, 7.0.0 to 7.7.3, 8.0.0 to 8.6.2`

References

https://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3CCAECwjAWCVLoVaZy%3DTNRQ6Wk9KWVxdPRiGS8NT%2BPHMJCxbbsEVg%40mail.gmail.com%3E

x_refsource_MISC

[lucene-issues] 20201013 [jira] [Updated] (SOLR-14925) CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

mailing-list

x_refsource_MLIST

[lucene-issues] 20201019 [GitHub] [lucene-site] tflobbe opened a new pull request #31: Add CVE-2020-13957 page

mailing-list

x_refsource_MLIST

https://security.netapp.com/advisory/ntap-20201023-0002/

x_refsource_CONFIRM

[lucene-issues] 20201029 [jira] [Commented] (SOLR-14925) CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

mailing-list

x_refsource_MLIST

[lucene-commits] 20201030 [lucene-site] branch master updated: Add CVE-2020-13957 page (#31)

mailing-list

x_refsource_MLIST

[lucene-issues] 20201030 [GitHub] [lucene-site] tflobbe merged pull request #31: Add CVE-2020-13957 page

mailing-list

x_refsource_MLIST

[lucene-commits] 20201030 [lucene-site] 02/02: Add CVE-2020-13957 page (#31)

mailing-list

x_refsource_MLIST

[lucene-issues] 20201030 [GitHub] [lucene-site] tflobbe opened a new pull request #32: Publish: Add CVE-2020-13957 page (#31)

mailing-list

x_refsource_MLIST

[lucene-issues] 20201030 [GitHub] [lucene-site] tflobbe commented on pull request #32: Publish: Add CVE-2020-13957 page (#31)

mailing-list

x_refsource_MLIST

[lucene-issues] 20201030 [GitHub] [lucene-site] tflobbe closed pull request #32: Publish: Add CVE-2020-13957 page (#31)

mailing-list

x_refsource_MLIST

[lucene-issues] 20201102 [jira] [Commented] (SOLR-14925) CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

mailing-list

x_refsource_MLIST

[lucene-issues] 20201102 [jira] [Updated] (SOLR-14925) CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented

mailing-list

x_refsource_MLIST

[bigtop-dev] 20210221 [jira] [Created] (BIGTOP-3507) Solr: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-issues] 20210221 [jira] [Created] (BIGTOP-3507) Solr: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-issues] 20210222 [jira] [Assigned] (BIGTOP-3507) Solr: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-dev] 20210225 [GitHub] [bigtop] JunHe77 opened a new pull request #743: BIGTOP-3507: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-dev] 20210301 [GitHub] [bigtop] iwasakims merged pull request #743: BIGTOP-3507: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-issues] 20210301 [jira] [Resolved] (BIGTOP-3507) Solr: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[bigtop-commits] 20210301 [bigtop] branch master updated: BIGTOP-3507: CVE-2020-13957 mitigation backport (#743)

mailing-list

x_refsource_MLIST

[bigtop-dev] 20210301 [GitHub] [bigtop] JunHe77 commented on pull request #743: BIGTOP-3507: CVE-2020-13957 mitigation backport

mailing-list

x_refsource_MLIST

[druid-commits] 20210324 [GitHub] [druid] jihoonson opened a new pull request #11030: Suppress cves

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.