CVE-2017-9803: Privilege escalation

September 18, 2017 (updated March 8, 2019)

Solr’s Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9803
issues.apache.org/jira/browse/SOLR-11184

Detect and mitigate CVE-2017-9803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →