CVE-2017-3164

HIGH7.5EPSS 59.5%

Server-Side Request Forgery (SSRF) in org.apache.solr:solr-core

Published: 3/14/2019Modified: 4/28/2026

Description

Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.

Affected packages (2)

Debian/lucene-solrfrom 0
Maven/org.apache.solr:solr-core>= 1.3.0, < 7.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (13)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-3164
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-3164
WEBhttp://mail-archives.apache.org/mod_mbox/www-announce/201902.mbox/%3CCAECwjAVjBN%3DwO5rYs6ktAX-5%3D-f5JDFwbbTSM2TTjEbGO5jKKA%40mail.gmail.com%3E
WEBhttp://security.netapp.com/advisory/ntap-20190327-0003
WEBhttps://lists.apache.org/thread.html/43026507844ada1ac658ccf7bc939378c13e492fd6538416ce65df39@%3Cdev.lucene.apache.org%3E
WEBhttps://lists.apache.org/thread.html/75dc651478f9d04505b46d44fe3ac739e7aaf3d7bf1257973685f8f7@%3Cdev.lucene.apache.org%3E
WEBhttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
WEBhttps://lists.apache.org/thread.html/ca3105b6934ccd28e843dffe39724f6963ff49825e9b709837203649@%3Cdev.lucene.apache.org%3E
WEBhttps://lists.apache.org/thread.html/e0f9c652b57a91fdcc287efcead620af9f4d8e46b88f0b761aa265de@%3Cdev.lucene.apache.org%3E
WEBhttps://lists.apache.org/thread.html/rc400db37710ee79378b6c52de3640493ff538c2beb41cefdbbdf2ab8@%3Ccommits.submarine.apache.org%3E
WEBhttps://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
WEBhttp://www.oracle.com/security-alerts/cpuoct2020.html
WEBhttp://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html