CVE-2017-3163: Path traversal attack

August 30, 2017 (updated May 17, 2018)

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name Solr does not validate the file name, hence it is possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3163
issues.apache.org/jira/browse/SOLR-10031
nvd.nist.gov/vuln/detail/CVE-2017-3163

Detect and mitigate CVE-2017-3163 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →