This fix has also been backported to Solr 6.6.6 for users who are stuck with Solr 6.x.
(Sorry, I hadn't updated the issue and hence this was missed in the original mail.) On Wed, Apr 24, 2019 at 12:35 PM Noble Paul <no...@apache.org> wrote: > > CVE-2018-11802: Apache Solr authorization bug disclosure > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: Apache Solr 7.6 or less > > Description: > jira ticket : https://issues.apache.org/jira/browse/SOLR-12514 > In apache Solr the cluster can be partitioned into multiple > collections and only a subset of nodes actually host any given > collection. However, if a node receives a request for a collection it > does not host, it proxies the request to a relevant node and serves > the request. Solr bypasses all authorization settings for such > requests. This affects all Solr versions that uses the default > authorization mechanism of Solr (RuleBasedAuthorizationPlugin) > > Mitigation: > A fix is provided in Solr 7.7 version and upwards. If you use Solr's > authorization mechanism, please upgrade to a version newer than Solr > 7.7. > > Credit: This issue was discovered by Mahesh Kumar Vasanthu Somashekar. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-user-unsubscr...@lucene.apache.org > For additional commands, e-mail: java-user-h...@lucene.apache.org >
